From bbdd1c8f068543ea2fc517ed7c1a919ccacb7301 Mon Sep 17 00:00:00 2001 From: Robin Elfrink Date: Wed, 29 Aug 2018 11:20:41 +0200 Subject: [PATCH] Add option to change the Tiller Deployment namespace. --- roles/kubernetes-apps/helm/defaults/main.yml | 3 ++ roles/kubernetes-apps/helm/tasks/main.yml | 7 +++-- .../templates/tiller-clusterrolebinding.yml | 14 --------- .../tiller-clusterrolebinding.yml.j2 | 29 +++++++++++++++++++ .../helm/templates/tiller-namespace.yml.j2 | 4 +++ .../{tiller-sa.yml => tiller-sa.yml.j2} | 2 +- 6 files changed, 41 insertions(+), 18 deletions(-) delete mode 100644 roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml create mode 100644 roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 create mode 100644 roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 rename roles/kubernetes-apps/helm/templates/{tiller-sa.yml => tiller-sa.yml.j2} (76%) diff --git a/roles/kubernetes-apps/helm/defaults/main.yml b/roles/kubernetes-apps/helm/defaults/main.yml index 2e8174521..15e26596a 100644 --- a/roles/kubernetes-apps/helm/defaults/main.yml +++ b/roles/kubernetes-apps/helm/defaults/main.yml @@ -13,6 +13,9 @@ helm_skip_refresh: false # Set URL for stable repository # helm_stable_repo_url: "https://kubernetes-charts.storage.googleapis.com" +# Namespace for the Tiller Deployment. +tiller_namespace: kube-system + # Set node selector options for Tiller Deployment manifest. # tiller_node_selectors: "key1=val1,key2=val2" diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml index 14d6ec5fe..73b0be0cf 100644 --- a/roles/kubernetes-apps/helm/tasks/main.yml +++ b/roles/kubernetes-apps/helm/tasks/main.yml @@ -7,9 +7,10 @@ - name: Helm | Lay Down Helm Manifests (RBAC) template: - src: "{{item.file}}" + src: "{{item.file}}.j2" dest: "{{kube_config_dir}}/{{item.file}}" with_items: + - {name: tiller, file: tiller-namespace.yml, type: namespace} - {name: tiller, file: tiller-sa.yml, type: sa} - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding} register: manifests @@ -18,7 +19,7 @@ - name: Helm | Apply Helm Manifests (RBAC) kube: name: "{{item.item.name}}" - namespace: "kube-system" + namespace: "{{ tiller_namespace }}" kubectl: "{{bin_dir}}/kubectl" resource: "{{item.item.type}}" filename: "{{kube_config_dir}}/{{item.item.file}}" @@ -28,7 +29,7 @@ - name: Helm | Install/upgrade helm command: > - {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system + {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }} {% if helm_skip_refresh %} --skip-refresh{% endif %} {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %} {% if rbac_enabled %} --service-account=tiller{% endif %} diff --git a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml deleted file mode 100644 index 00694181e..000000000 --- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: tiller - namespace: kube-system -subjects: - - kind: ServiceAccount - name: tiller - namespace: kube-system -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io diff --git a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 new file mode 100644 index 000000000..9bdfdde03 --- /dev/null +++ b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 @@ -0,0 +1,29 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: tiller + namespace: {{ tiller_namespace }} +subjects: + - kind: ServiceAccount + name: tiller + namespace: {{ tiller_namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +{% if podsecuritypolicy_enabled %} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: psp:tiller +subjects: + - kind: ServiceAccount + name: tiller + namespace: {{ tiller_namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:privileged +{% endif %} diff --git a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 new file mode 100644 index 000000000..455742185 --- /dev/null +++ b/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "{{ tiller_namespace}}" diff --git a/roles/kubernetes-apps/helm/templates/tiller-sa.yml b/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 similarity index 76% rename from roles/kubernetes-apps/helm/templates/tiller-sa.yml rename to roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 index 606dbb147..09b815725 100644 --- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml +++ b/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 @@ -3,6 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: tiller - namespace: kube-system + namespace: {{ tiller_namespace }} labels: kubernetes.io/cluster-service: "true"