Add option to change the Tiller Deployment namespace.

This commit is contained in:
Robin Elfrink 2018-08-29 11:20:41 +02:00
parent f876c89081
commit bbdd1c8f06
6 changed files with 41 additions and 18 deletions

View file

@ -13,6 +13,9 @@ helm_skip_refresh: false
# Set URL for stable repository
# helm_stable_repo_url: "https://kubernetes-charts.storage.googleapis.com"
# Namespace for the Tiller Deployment.
tiller_namespace: kube-system
# Set node selector options for Tiller Deployment manifest.
# tiller_node_selectors: "key1=val1,key2=val2"

View file

@ -7,9 +7,10 @@
- name: Helm | Lay Down Helm Manifests (RBAC)
template:
src: "{{item.file}}"
src: "{{item.file}}.j2"
dest: "{{kube_config_dir}}/{{item.file}}"
with_items:
- {name: tiller, file: tiller-namespace.yml, type: namespace}
- {name: tiller, file: tiller-sa.yml, type: sa}
- {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
register: manifests
@ -18,7 +19,7 @@
- name: Helm | Apply Helm Manifests (RBAC)
kube:
name: "{{item.item.name}}"
namespace: "kube-system"
namespace: "{{ tiller_namespace }}"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"
@ -28,7 +29,7 @@
- name: Helm | Install/upgrade helm
command: >
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
{% if helm_skip_refresh %} --skip-refresh{% endif %}
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
{% if rbac_enabled %} --service-account=tiller{% endif %}

View file

@ -1,14 +0,0 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller
namespace: kube-system
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

View file

@ -0,0 +1,29 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller
namespace: {{ tiller_namespace }}
subjects:
- kind: ServiceAccount
name: tiller
namespace: {{ tiller_namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
{% if podsecuritypolicy_enabled %}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: psp:tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: {{ tiller_namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:privileged
{% endif %}

View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: "{{ tiller_namespace}}"

View file

@ -3,6 +3,6 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
namespace: {{ tiller_namespace }}
labels:
kubernetes.io/cluster-service: "true"