diff --git a/roles/kargo-defaults/defaults/main.yaml b/roles/kargo-defaults/defaults/main.yaml index 9a7368d29..91602fdaa 100644 --- a/roles/kargo-defaults/defaults/main.yaml +++ b/roles/kargo-defaults/defaults/main.yaml @@ -120,3 +120,14 @@ enable_network_policy: false ## at the moment. authorization_mode: ['AlwaysAllow'] rbac_enabled: "{{ 'RBAC' in authorization_mode }}" + +ssl_ca_dirs: "[ + {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} + '/usr/share/ca-certificates', + {% elif ansible_os_family == 'RedHat' -%} + '/etc/pki/tls', + '/etc/pki/ca-trust', + {% elif ansible_os_family == 'Debian' -%} + '/usr/share/ca-certificates', + {% endif -%} + ]" diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml index 26792bfc9..d9575e5c4 100644 --- a/roles/kubernetes-apps/helm/tasks/main.yml +++ b/roles/kubernetes-apps/helm/tasks/main.yml @@ -10,19 +10,31 @@ mode: 0755 register: helm_container -- name: Helm | Configure tiller service account for RBAC - command: kubectl create serviceaccount tiller --namespace={{ system_namespace }} - ignore_errors: yes - when: rbac_enabled +- name: Helm | Lay Down Helm Manifests (RBAC) + template: + src: "manifests/{{item.file}}" + dest: "{{kube_config_dir}}/{{item.file}}" + with_items: + - {name: tiller, file: tiller-sa.yml, type: sa} + - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding} + register: manifests + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled -- name: Helm | Configure tiller rolebindings for RBAC - command: kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount={{ system_namespace }}:tiller - ignore_errors: yes - when: rbac_enabled +- name: Helm | Apply Helm Manifests (RBAC) + kube: + name: "{{item.item.name}}" + namespace: "{{ system_namespace }}" + kubectl: "{{bin_dir}}/kubectl" + resource: "{{item.item.type}}" + filename: "{{kube_config_dir}}/{{item.item.file}}" + state: "{{item.changed | ternary('latest','present') }}" + with_items: "{{ manifests.results }}" + failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled - name: Helm | Install/upgrade helm command: "{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }}" - when: helm_container.changed + when: helm_container.changed or manifests|changed - name: Helm | Patch tiller deployment for RBAC command: kubectl patch deployment tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' -n {{ system_namespace }} diff --git a/roles/kubernetes-apps/helm/templates/manifests/tiller-clusterrolebinding.yml b/roles/kubernetes-apps/helm/templates/manifests/tiller-clusterrolebinding.yml new file mode 100644 index 000000000..0ac9341ee --- /dev/null +++ b/roles/kubernetes-apps/helm/templates/manifests/tiller-clusterrolebinding.yml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: tiller + namespace: {{ system_namespace }} +subjects: + - kind: ServiceAccount + name: tiller + namespace: {{ system_namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/helm/templates/manifests/tiller-sa.yml b/roles/kubernetes-apps/helm/templates/manifests/tiller-sa.yml new file mode 100644 index 000000000..c840f57f8 --- /dev/null +++ b/roles/kubernetes-apps/helm/templates/manifests/tiller-sa.yml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: {{ system_namespace }} + labels: + kubernetes.io/cluster-service: "true" diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml index cb7a10c65..5f5fa0194 100644 --- a/roles/kubernetes/node/tasks/install.yml +++ b/roles/kubernetes/node/tasks/install.yml @@ -1,22 +1,8 @@ --- -- name: install | Set SSL CA directories - set_fact: - ssl_ca_dirs: "[ - {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} - '/usr/share/ca-certificates', - {% elif ansible_os_family == 'RedHat' -%} - '/etc/pki/tls', - '/etc/pki/ca-trust', - {% elif ansible_os_family == 'Debian' -%} - '/usr/share/ca-certificates', - {% endif -%} - ]" - tags: facts - - include: "install_{{ kubelet_deployment_type }}.yml" - name: install | Write kubelet systemd init file - template: + template: src: "kubelet.{{ kubelet_deployment_type }}.service.j2" dest: "/etc/systemd/system/kubelet.service" backup: "yes"