External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-04-07 02:59:24 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
bobahspb
2018-03-31 21:48:39 +03:00
committed by GitHub
parent 94a0562c93 b9b028a735
commit 16961f69f2
141 changed files with 654 additions and 262 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
roles/kubernetes-apps/ansible/tasks/cleanup_dns.yml
View File

@@ -2,7 +2,7 @@
- name: Kubernetes Apps | Delete old CoreDNS resources
kube:
name: "coredns"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item }}"
state: absent
@@ -16,7 +16,7 @@
- name: Kubernetes Apps | Delete kubeadm CoreDNS
kube:
name: "coredns"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "deploy"
state: absent
@@ -28,7 +28,7 @@
- name: Kubernetes Apps | Delete old KubeDNS resources
kube:
name: "kube-dns"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item }}"
state: absent
@@ -41,7 +41,7 @@
- name: Kubernetes Apps | Delete kubeadm KubeDNS
kube:
name: "kube-dns"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item }}"
state: absent

2
roles/kubernetes-apps/ansible/tasks/dashboard.yml
View File

@@ -22,7 +22,7 @@
- name: Kubernetes Apps | Start dashboard
kube:
name: "{{ item.item.name }}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/{{ item.item.file }}"

6
roles/kubernetes-apps/ansible/tasks/main.yml
View File

@@ -37,7 +37,7 @@
- name: Kubernetes Apps | Start Resources
kube:
name: "{{ item.item.name }}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
@@ -50,6 +50,10 @@
- dns_mode != 'none'
- inventory_hostname == groups['kube-master'][0]
- not item|skipped
register: resource_result
until: resource_result|succeeded
retries: 4
delay: 5
tags:
- dnsmasq

2
roles/kubernetes-apps/ansible/templates/coredns-clusterrolebinding.yml.j2
View File

@@ -15,4 +15,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: coredns
namespace: {{ system_namespace }}
namespace: kube-system

2
roles/kubernetes-apps/ansible/templates/coredns-config.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: {{ system_namespace }}
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:

2
roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: coredns{{ coredns_ordinal_suffix | default('') }}
namespace: {{ system_namespace }}
namespace: kube-system
labels:
k8s-app: coredns{{ coredns_ordinal_suffix | default('') }}
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/ansible/templates/coredns-sa.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: {{ system_namespace }}
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile

2
roles/kubernetes-apps/ansible/templates/coredns-svc.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: coredns{{ coredns_ordinal_suffix | default('') }}
namespace: {{ system_namespace }}
namespace: kube-system
labels:
k8s-app: coredns{{ coredns_ordinal_suffix | default('') }}
kubernetes.io/cluster-service: "true"

16
roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
View File

@@ -25,7 +25,7 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: {{ system_namespace }}
namespace: kube-system
type: Opaque
---
@@ -37,7 +37,7 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: {{ system_namespace }}
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
@@ -46,7 +46,7 @@ kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: {{ system_namespace }}
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
@@ -81,7 +81,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: {{ system_namespace }}
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@@ -89,7 +89,7 @@ roleRef:
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: {{ system_namespace }}
namespace: kube-system
---
# ------------------- Gross Hack For anonymous auth through api proxy ------------------- #
@@ -103,7 +103,7 @@ rules:
resources: ["services/proxy"]
resourceNames: ["https:kubernetes-dashboard:"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/{{ system_namespace }}/services/https:kubernetes-dashboard:/proxy/*"]
- nonResourceURLs: ["/ui", "/ui/*", "/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
@@ -128,7 +128,7 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: {{ system_namespace }}
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -200,7 +200,7 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: {{ system_namespace }}
namespace: kube-system
spec:
ports:
- port: 443

2
roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrole.yml.j2
View File

@@ -17,7 +17,7 @@ kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-proportional-autoscaler
namespace: {{ system_namespace }}
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["nodes"]

4
roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-clusterrolebinding.yml.j2
View File

@@ -17,11 +17,11 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: cluster-proportional-autoscaler
namespace: {{ system_namespace }}
namespace: kube-system
subjects:
- kind: ServiceAccount
name: cluster-proportional-autoscaler
namespace: {{ system_namespace }}
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-proportional-autoscaler

2
roles/kubernetes-apps/ansible/templates/kubedns-autoscaler-sa.yml.j2
View File

@@ -17,4 +17,4 @@ kind: ServiceAccount
apiVersion: v1
metadata:
name: cluster-proportional-autoscaler
namespace: {{ system_namespace }}
namespace: kube-system

4
roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2
View File

@@ -17,7 +17,7 @@ apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kubedns-autoscaler
namespace: {{ system_namespace }}
namespace: kube-system
labels:
k8s-app: kubedns-autoscaler
kubernetes.io/cluster-service: "true"
@@ -40,7 +40,7 @@ spec:
memory: "10Mi"
command:
- /cluster-proportional-autoscaler
- --namespace={{ system_namespace }}
- --namespace=kube-system
- --configmap=kubedns-autoscaler
# Should keep target in sync with cluster/addons/dns/kubedns-controller.yaml.base
- --target=Deployment/kube-dns

2
roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kube-dns
namespace: "{{system_namespace}}"
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/ansible/templates/kubedns-sa.yml.j2
View File

@@ -3,6 +3,6 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-dns
namespace: {{ system_namespace }}
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/ansible/templates/kubedns-svc.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: {{ system_namespace }}
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"

29
roles/kubernetes-apps/cluster_roles/tasks/main.yml
View File

@@ -126,32 +126,3 @@
- kube_version | version_compare('v1.9.3', '<=')
- inventory_hostname == groups['kube-master'][0]
tags: vsphere
# This is not a cluster role, but should be run after kubeconfig is set on master
- name: Write kube system namespace manifest
template:
src: namespace.j2
dest: "{{kube_config_dir}}/{{system_namespace}}-ns.yml"
when: inventory_hostname == groups['kube-master'][0]
tags:
- apps
- name: Check if kube system namespace exists
command: "{{ bin_dir }}/kubectl get ns {{system_namespace}}"
register: 'kubesystem'
changed_when: False
failed_when: False
when: inventory_hostname == groups['kube-master'][0]
tags:
- apps
- name: Create kube system namespace
command: "{{ bin_dir }}/kubectl create -f {{kube_config_dir}}/{{system_namespace}}-ns.yml"
retries: 4
delay: "{{ retry_stagger | random + 3 }}"
register: create_system_ns
until: create_system_ns.rc == 0
changed_when: False
when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
tags:
- apps

2
roles/kubernetes-apps/cluster_roles/templates/namespace.j2
View File

@@ -1,4 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: "{{system_namespace}}"
name: "kube-system"

6
roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml
View File

@@ -10,7 +10,7 @@
when: rbac_enabled
- name: "ElasticSearch | Create Serviceaccount and Clusterrolebinding (RBAC)"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n {{ system_namespace }}"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n kube-system"
with_items:
- "efk-sa.yml"
- "efk-clusterrolebinding.yml"
@@ -24,7 +24,7 @@
register: es_deployment_manifest
- name: "ElasticSearch | Create ES deployment"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-deployment.yaml -n {{ system_namespace }}"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-deployment.yaml -n kube-system"
run_once: true
when: es_deployment_manifest.changed
@@ -35,6 +35,6 @@
register: es_service_manifest
- name: "ElasticSearch | Create ES service"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n {{ system_namespace }}"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/elasticsearch-service.yaml -n kube-system"
run_once: true
when: es_service_manifest.changed

4
roles/kubernetes-apps/efk/elasticsearch/templates/efk-clusterrolebinding.yml
View File

@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: efk
namespace: {{ system_namespace }}
namespace: kube-system
subjects:
- kind: ServiceAccount
name: efk
namespace: {{ system_namespace }}
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin

2
roles/kubernetes-apps/efk/elasticsearch/templates/efk-sa.yml
View File

@@ -3,6 +3,6 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: efk
namespace: {{ system_namespace }}
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2
View File

@@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: elasticsearch-logging-v1
namespace: "{{ system_namespace }}"
namespace: kube-system
labels:
k8s-app: elasticsearch-logging
version: "{{ elasticsearch_image_tag }}"

2
roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-service.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: elasticsearch-logging
namespace: "{{ system_namespace }}"
namespace: "kube-system"
labels:
k8s-app: elasticsearch-logging
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/efk/fluentd/tasks/main.yml
View File

@@ -17,6 +17,6 @@
register: fluentd_ds_manifest
- name: "Fluentd | Create fluentd daemonset"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n {{ system_namespace }}"
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/fluentd-ds.yaml -n kube-system"
run_once: true
when: fluentd_ds_manifest.changed

2
roles/kubernetes-apps/efk/fluentd/templates/fluentd-config.yml.j2
View File

@@ -2,7 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: fluentd-config
namespace: "{{ system_namespace }}"
namespace: "kube-system"
data:
{{ fluentd_config_file }}: |
# This configuration file for Fluentd / td-agent is used

2
roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2
View File

@@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: "fluentd-es-v{{ fluentd_version }}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
labels:
k8s-app: fluentd-es
kubernetes.io/cluster-service: "true"

4
roles/kubernetes-apps/efk/kibana/tasks/main.yml
View File

@@ -10,7 +10,7 @@
filename: "{{kube_config_dir}}/kibana-deployment.yaml"
kubectl: "{{bin_dir}}/kubectl"
name: "kibana-logging"
namespace: "{{system_namespace}}"
namespace: "kube-system"
resource: "deployment"
state: "latest"
with_items: "{{ kibana_deployment_manifest.changed }}"
@@ -27,7 +27,7 @@
filename: "{{kube_config_dir}}/kibana-service.yaml"
kubectl: "{{bin_dir}}/kubectl"
name: "kibana-logging"
namespace: "{{system_namespace}}"
namespace: "kube-system"
resource: "svc"
state: "latest"
with_items: "{{ kibana_service_manifest.changed }}"

2
roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2
View File

@@ -4,7 +4,7 @@ apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: kibana-logging
namespace: "{{ system_namespace }}"
namespace: "kube-system"
labels:
k8s-app: kibana-logging
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/efk/kibana/templates/kibana-service.yml.j2
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: Service
metadata:
name: kibana-logging
namespace: "{{ system_namespace }}"
namespace: "kube-system"
labels:
k8s-app: kibana-logging
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/external_provisioner/cephfs_provisioner/defaults/main.yml
View File

@@ -2,7 +2,7 @@
cephfs_provisioner_image_repo: quay.io/kubespray/cephfs-provisioner
cephfs_provisioner_image_tag: 92295a30
cephfs_provisioner_namespace: "{{ system_namespace }}"
cephfs_provisioner_namespace: "kube-system"
cephfs_provisioner_cluster: ceph
cephfs_provisioner_monitors: []
cephfs_provisioner_admin_id: admin

2
roles/kubernetes-apps/external_provisioner/local_volume_provisioner/defaults/main.yml
View File

@@ -2,7 +2,7 @@
local_volume_provisioner_image_repo: quay.io/external_storage/local-volume-provisioner
local_volume_provisioner_image_tag: v2.0.0
local_volume_provisioner_namespace: "{{ system_namespace }}"
local_volume_provisioner_namespace: "kube-system"
local_volume_provisioner_base_dir: /mnt/disks
local_volume_provisioner_mount_dir: /mnt/disks
local_volume_provisioner_storage_class: local-storage

4
roles/kubernetes-apps/helm/tasks/main.yml
View File

@@ -18,7 +18,7 @@
- name: Helm | Apply Helm Manifests (RBAC)
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"
@@ -28,7 +28,7 @@
- name: Helm | Install/upgrade helm
command: >
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ system_namespace }}
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
{% if helm_skip_refresh %} --skip-refresh{% endif %}
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
{% if rbac_enabled %} --service-account=tiller{% endif %}

4
roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
View File

@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller
namespace: {{ system_namespace }}
namespace: kube-system
subjects:
- kind: ServiceAccount
name: tiller
namespace: {{ system_namespace }}
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin

2
roles/kubernetes-apps/helm/templates/tiller-sa.yml
View File

@@ -3,6 +3,6 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: {{ system_namespace }}
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"

17
roles/kubernetes-apps/ingress_controller/cert_manager/README.md Normal file
View File

@@ -0,0 +1,17 @@
Deployment files
================
This directory contains example deployment manifests for cert-manager that can
be used in place of the official Helm chart.
This is useful if you are deploying cert-manager into an environment without
Helm, or want to inspect a 'bare minimum' deployment.
Where do these come from?
-------------------------
The manifests in these subdirectories are generated from the Helm chart
automatically. The `values.yaml` files used to configure cert-manager can be
found in [`hack/deploy`](../../hack/deploy/).
They are automatically generated by running `./hack/update-deploy-gen.sh`.

6
roles/kubernetes-apps/ingress_controller/cert_manager/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
cert_manager_namespace: "cert-manager"
cert_manager_cpu_requests: 10m
cert_manager_cpu_limits: 30m
cert_manager_memory_requests: 32Mi
cert_manager_memory_limits: 200Mi

38
roles/kubernetes-apps/ingress_controller/cert_manager/tasks/main.yml Normal file
View File

@@ -0,0 +1,38 @@
---
- name: Cert Manager | Create addon dir
file:
path: "{{ kube_config_dir }}/addons/cert_manager"
state: directory
owner: root
group: root
mode: 0755
- name: Cert Manager | Create manifests
template:
src: "{{ item.file }}.j2"
dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
with_items:
- { name: cert-manager-ns, file: cert-manager-ns.yml, type: ns }
- { name: cert-manager-sa, file: cert-manager-sa.yml, type: sa }
- { name: cert-manager-clusterrole, file: cert-manager-clusterrole.yml, type: clusterrole }
- { name: cert-manager-clusterrolebinding, file: cert-manager-clusterrolebinding.yml, type: clusterrolebinding }
- { name: cert-manager-issuer-crd, file: cert-manager-issuer-crd.yml, type: crd }
- { name: cert-manager-clusterissuer-crd, file: cert-manager-clusterissuer-crd.yml, type: crd }
- { name: cert-manager-certificate-crd, file: cert-manager-certificate-crd.yml, type: crd }
- { name: cert-manager-deploy, file: cert-manager-deploy.yml, type: deploy }
register: cert_manager_manifests
when:
- inventory_hostname == groups['kube-master'][0]
- name: Cert Manager | Apply manifests
kube:
name: "{{ item.item.name }}"
namespace: "{{ cert_manager_namespace }}"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
state: "latest"
with_items: "{{ cert_manager_manifests.results }}"
when:
- inventory_hostname == groups['kube-master'][0]

21
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-certificate-crd.yml.j2 Normal file
View File

@@ -0,0 +1,21 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: certificates.certmanager.k8s.io
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
scope: Namespaced
names:
kind: Certificate
plural: certificates
shortNames:
- cert
- certs

17
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-clusterissuer-crd.yml.j2 Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: clusterissuers.certmanager.k8s.io
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: ClusterIssuer
plural: clusterissuers
scope: Cluster

25
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-clusterrole.yml.j2 Normal file
View File

@@ -0,0 +1,25 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cert-manager
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller
rules:
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates", "issuers", "clusterissuers"]
verbs: ["*"]
- apiGroups: [""]
# TODO: remove endpoints once 0.4 is released. We include it here in case
# users use the 'master' version of the Helm chart with a 0.2.x release of
# cert-manager that still performs leader election with Endpoint resources.
# We advise users don't do this, but some will anyway and this will reduce
# friction.
resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]

18
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-clusterrolebinding.yml.j2 Normal file
View File

@@ -0,0 +1,18 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cert-manager
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager
subjects:
- name: cert-manager
namespace: {{ cert_manager_namespace }}
kind: ServiceAccount

51
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-deploy.yml.j2 Normal file
View File

@@ -0,0 +1,51 @@
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: cert-manager
release: cert-manager
annotations:
spec:
serviceAccountName: cert-manager
containers:
- name: cert-manager
image: {{ cert_manager_controller_image_repo }}:{{ cert_manager_controller_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
args:
- --cluster-resource-namespace=$(POD_NAMESPACE)
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
cpu: {{ cert_manager_cpu_requests }}
memory: {{ cert_manager_memory_requests }}
limits:
cpu: {{ cert_manager_cpu_limits }}
memory: {{ cert_manager_memory_limits }}
- name: ingress-shim
image: {{ cert_manager_ingress_shim_image_repo }}:{{ cert_manager_ingress_shim_image_tag }}
imagePullPolicy: {{ k8s_image_pull_policy }}
resources:
requests:
cpu: {{ cert_manager_cpu_requests }}
memory: {{ cert_manager_memory_requests }}
limits:
cpu: {{ cert_manager_cpu_limits }}
memory: {{ cert_manager_memory_limits }}

17
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-issuer-crd.yml.j2 Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.certmanager.k8s.io
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller
spec:
group: certmanager.k8s.io
version: v1alpha1
names:
kind: Issuer
plural: issuers
scope: Namespaced

7
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-ns.yml.j2 Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ cert_manager_namespace }}
labels:
name: {{ cert_manager_namespace }}

11
roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager-sa.yml.j2 Normal file
View File

@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: {{ cert_manager_namespace }}
labels:
app: cert-manager
chart: cert-manager-0.2.5
release: cert-manager
heritage: Tiller

4
roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2
View File

@@ -20,6 +20,9 @@ spec:
labels:
k8s-app: ingress-nginx
version: v{{ ingress_nginx_controller_image_tag }}
annotations:
prometheus.io/port: '10254'
prometheus.io/scrape: 'true'
spec:
{% if ingress_nginx_host_network %}
hostNetwork: true
@@ -78,3 +81,4 @@ spec:
{% if rbac_enabled %}
serviceAccountName: ingress-nginx
{% endif %}

7
roles/kubernetes-apps/ingress_controller/meta/main.yml
View File

@@ -6,3 +6,10 @@ dependencies:
- apps
- ingress-nginx
- ingress-controller
- role: kubernetes-apps/ingress_controller/cert_manager
when: cert_manager_enabled
tags:
- apps
- cert-manager
- ingress-controller

2
roles/kubernetes-apps/network_plugin/calico/tasks/main.yml
View File

@@ -2,7 +2,7 @@
- name: Start Calico resources
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"

2
roles/kubernetes-apps/network_plugin/canal/tasks/main.yml
View File

@@ -2,7 +2,7 @@
- name: Canal | Start Resources
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"

4
roles/kubernetes-apps/network_plugin/cilium/tasks/main.yml
View File

@@ -2,7 +2,7 @@
- name: Cilium | Start Resources
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"
@@ -11,7 +11,7 @@
when: inventory_hostname == groups['kube-master'][0] and not item|skipped
- name: Cilium | Wait for pods to run
command: "{{bin_dir}}/kubectl -n {{system_namespace}} get pods -l k8s-app=cilium -o jsonpath='{.items[?(@.status.containerStatuses[0].ready==false)].metadata.name}'"
command: "{{bin_dir}}/kubectl -n kube-system get pods -l k8s-app=cilium -o jsonpath='{.items[?(@.status.containerStatuses[0].ready==false)].metadata.name}'"
register: pods_not_ready
until: pods_not_ready.stdout.find("cilium")==-1
retries: 30

2
roles/kubernetes-apps/network_plugin/contiv/tasks/main.yml
View File

@@ -3,7 +3,7 @@
- name: Contiv | Create Kubernetes resources
kube:
name: "{{ item.item.name }}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{ bin_dir }}/kubectl"
resource: "{{ item.item.type }}"
filename: "{{ contiv_config_dir }}/{{ item.item.file }}"

2
roles/kubernetes-apps/network_plugin/flannel/tasks/main.yml
View File

@@ -2,7 +2,7 @@
- name: Flannel | Start Resources
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"

2
roles/kubernetes-apps/network_plugin/weave/tasks/main.yml
View File

@@ -5,7 +5,7 @@
kubectl: "{{ bin_dir }}/kubectl"
filename: "{{ kube_config_dir }}/weave-net.yml"
resource: "ds"
namespace: "{{system_namespace}}"
namespace: "kube-system"
state: "latest"
when: inventory_hostname == groups['kube-master'][0]

4
roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
View File

@@ -12,7 +12,7 @@
name: calico-policy-controller
kubectl: "{{bin_dir}}/kubectl"
resource: rs
namespace: "{{ system_namespace }}"
namespace: "kube-system"
state: absent
run_once: true
@@ -32,7 +32,7 @@
- name: Start of Calico kube controllers
kube:
name: "{{item.item.name}}"
namespace: "{{ system_namespace }}"
namespace: "kube-system"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"

4
roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
View File

@@ -2,7 +2,7 @@ apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: calico-kube-controllers
namespace: {{ system_namespace }}
namespace: kube-system
labels:
k8s-app: calico-kube-controllers
kubernetes.io/cluster-service: "true"
@@ -15,7 +15,7 @@ spec:
template:
metadata:
name: calico-kube-controllers
namespace: {{ system_namespace }}
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
k8s-app: calico-kube-controllers

2
roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
View File

@@ -3,7 +3,7 @@ kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-kube-controllers
namespace: {{ system_namespace }}
namespace: kube-system
rules:
- apiGroups:
- ""

2
roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-crb.yml.j2
View File

@@ -10,4 +10,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: calico-kube-controllers
namespace: {{ system_namespace }}
namespace: kube-system

2
roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-sa.yml.j2
View File

@@ -3,6 +3,6 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-kube-controllers
namespace: {{ system_namespace }}
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"

2
roles/kubernetes-apps/registry/defaults/main.yml
View File

@@ -4,6 +4,6 @@ registry_image_tag: 2.6
registry_proxy_image_repo: gcr.io/google_containers/kube-registry-proxy
registry_proxy_image_tag: 0.4
registry_namespace: "{{ system_namespace }}"
registry_namespace: "kube-system"
registry_storage_class: ""
registry_disk_size: "10Gi"

2
roles/kubernetes-apps/rotate_tokens/tasks/main.yml
View File

@@ -44,5 +44,5 @@
when: needs_rotation
- name: Rotate Tokens | Delete pods in system namespace
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
command: "{{ bin_dir }}/kubectl delete pods -n kube-system --all"
when: needs_rotation