mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-05-19 14:57:43 -02:30
Helm v3 only (#6846)
* Fix etcd download dest Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com> * Only support Helm v3, cleanup install Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This commit is contained in:
Etienne Champetier
committed by
GitHub
GitHub
parent
4f7a760a94
commit
68b96bdf1a
@@ -1,110 +0,0 @@
|
||||
---
|
||||
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{ groups['kube-master'][0] }})"
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
file:
|
||||
path: "{{ helm_config_dir }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
|
||||
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{ groups['kube-master'][0] }})"
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
file:
|
||||
path: "{{ helm_script_dir }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
|
||||
- name: Gen_helm_tiller_certs | Copy certs generation script
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
template:
|
||||
src: "helm-make-ssl.sh.j2"
|
||||
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
|
||||
mode: 0700
|
||||
|
||||
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{ groups['kube-master'][0] }})"
|
||||
find:
|
||||
paths: "{{ helm_home_dir }}"
|
||||
patterns: "*.pem"
|
||||
get_checksum: true
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
register: helmcert_master
|
||||
run_once: true
|
||||
|
||||
- name: Gen_helm_tiller_certs | run cert generation script # noqa 301
|
||||
run_once: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
|
||||
|
||||
- name: Check_helm_client_certs | Set helm_client_certs
|
||||
set_fact:
|
||||
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
|
||||
|
||||
- name: "Check_helm_client_certs | check if a cert already exists on master node"
|
||||
find:
|
||||
paths: "{{ helm_home_dir }}"
|
||||
patterns: "*.pem"
|
||||
get_checksum: true
|
||||
register: helmcert_node
|
||||
when: inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
|
||||
set_fact:
|
||||
sync_helm_certs: (not item in helmcert_node.files | map(attribute='path') | map("basename") | list or helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
|
||||
when:
|
||||
- inventory_hostname != groups['kube-master'][0]
|
||||
with_items:
|
||||
- "{{ helm_client_certs }}"
|
||||
|
||||
- name: Gen_helm_tiller_certs | Gather helm client certs
|
||||
# noqa 303 - tar is called intentionally here, but maybe this should be done with the slurp module
|
||||
shell: "set -o pipefail && tar cfz - -C {{ helm_home_dir }} {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
no_log: true
|
||||
register: helm_client_cert_data
|
||||
check_mode: no
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
|
||||
tempfile:
|
||||
state: file
|
||||
path: /tmp
|
||||
prefix: helmcertsXXXXX
|
||||
suffix: tar.gz
|
||||
register: helm_cert_tempfile
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
|
||||
copy:
|
||||
content: "{{ helm_client_cert_data.stdout }}"
|
||||
dest: "{{ helm_cert_tempfile.path }}"
|
||||
owner: root
|
||||
mode: "0600"
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Unpack helm certs on
|
||||
shell: "set -o pipefail && base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
no_log: true
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
|
||||
file:
|
||||
path: "{{ helm_cert_tempfile.path }}"
|
||||
state: absent
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_certs | check certificate permissions
|
||||
file:
|
||||
path: "{{ helm_home_dir }}"
|
||||
group: "{{ helm_cert_group }}"
|
||||
state: directory
|
||||
owner: "{{ helm_cert_owner }}"
|
||||
mode: "u=rwX,g-rwx,o-rwx"
|
||||
recurse: yes
|
||||
@@ -1,8 +0,0 @@
|
||||
---
|
||||
- name: Helm | Set up helm docker launcher
|
||||
template:
|
||||
src: helm-container.j2
|
||||
dest: "{{ bin_dir }}/helm"
|
||||
owner: root
|
||||
mode: 0755
|
||||
register: helm_container
|
||||
@@ -1,42 +0,0 @@
|
||||
---
|
||||
- name: Helm | Set commands for helm host tasks
|
||||
set_fact:
|
||||
helm_compare_command: >-
|
||||
{%- if container_manager in ['docker', 'crio'] %}
|
||||
{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /usr/bin/cmp {{ helm_image_repo }}:{{ helm_image_tag }} /usr/local/bin/helm /systembindir/helm
|
||||
{%- elif container_manager == "containerd" %}
|
||||
ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-compare sh -c 'cmp /usr/local/bin/helm /systembindir/helm'
|
||||
{%- endif %}
|
||||
helm_copy_command: >-
|
||||
{%- if container_manager in ['docker', 'crio'] %}
|
||||
{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /bin/cp {{ helm_image_repo }}:{{ helm_image_tag }} -f /usr/local/bin/helm /systembindir/helm
|
||||
{%- elif container_manager == "containerd" %}
|
||||
ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-copy sh -c '/bin/cp -f /usr/local/bin/helm /systembindir/helm'
|
||||
{%- endif %}
|
||||
|
||||
- name: Helm | ensure helm container is pulled for containerd
|
||||
command: "ctr i pull {{ helm_image_repo }}:{{ helm_image_tag }}"
|
||||
when: container_manager == "containerd"
|
||||
|
||||
- name: Helm | Compare host helm with helm container
|
||||
command: "{{ helm_compare_command }}"
|
||||
register: helm_task_compare_result
|
||||
until: helm_task_compare_result.rc in [0,1,2]
|
||||
retries: 4
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
changed_when: false
|
||||
failed_when: "helm_task_compare_result.rc not in [0,1,2]"
|
||||
|
||||
- name: Helm | Copy helm from helm container
|
||||
command: "{{ helm_copy_command }}"
|
||||
when: helm_task_compare_result.rc != 0
|
||||
register: helm_task_result
|
||||
until: helm_task_result.rc == 0
|
||||
retries: 4
|
||||
delay: "{{ retry_stagger | random + 3 }}"
|
||||
|
||||
- name: Helm | Copy socat wrapper for Flatcar Container Linux by Kinvolk
|
||||
command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}"
|
||||
args:
|
||||
creates: "{{ bin_dir }}/socat"
|
||||
when: ansible_os_family in ['Flatcar Container Linux by Kinvolk']
|
||||
@@ -1,131 +1,34 @@
|
||||
---
|
||||
- name: Helm | Make sure HELM_HOME directory exists
|
||||
file: path={{ helm_home_dir }} state=directory
|
||||
- name: Helm | Download helm
|
||||
include_tasks: "../../../download/tasks/download_file.yml"
|
||||
vars:
|
||||
download: "{{ download_defaults | combine(downloads.helm) }}"
|
||||
|
||||
- name: Helm | Set up helm launcher
|
||||
include_tasks: "install_{{ helm_deployment_type }}.yml"
|
||||
- name: Copy helm binary from download dir
|
||||
synchronize:
|
||||
src: "{{ local_release_dir }}/helm-{{ helm_version }}/linux-{{ image_arch }}/helm"
|
||||
dest: "{{ bin_dir }}/helm"
|
||||
compress: no
|
||||
perms: yes
|
||||
owner: no
|
||||
group: no
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
|
||||
- name: Helm | Lay Down Helm Manifests (RBAC)
|
||||
template:
|
||||
src: "{{ item.file }}.j2"
|
||||
dest: "{{ kube_config_dir }}/{{ item.file }}"
|
||||
with_items:
|
||||
- {name: tiller, file: tiller-namespace.yml, type: namespace}
|
||||
- {name: tiller, file: tiller-sa.yml, type: sa}
|
||||
- {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
register: manifests
|
||||
when:
|
||||
- dns_mode != 'none'
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
- name: Check if bash_completion.d folder exists # noqa 503
|
||||
stat:
|
||||
path: "/etc/bash_completion.d/"
|
||||
register: stat_result
|
||||
|
||||
- name: Helm | Apply Helm Manifests (RBAC)
|
||||
kube:
|
||||
name: "{{ item.item.name }}"
|
||||
namespace: "{{ tiller_namespace }}"
|
||||
kubectl: "{{ bin_dir }}/kubectl"
|
||||
resource: "{{ item.item.type }}"
|
||||
filename: "{{ kube_config_dir }}/{{ item.item.file }}"
|
||||
state: "latest"
|
||||
with_items: "{{ manifests.results }}"
|
||||
when:
|
||||
- dns_mode != 'none'
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
- name: Get helm completion
|
||||
command: "{{ bin_dir }}/helm completion bash"
|
||||
changed_when: False
|
||||
register: helm_completion
|
||||
check_mode: False
|
||||
when: stat_result.stat.exists
|
||||
|
||||
# Generate necessary certs for securing Helm and Tiller connection with TLS
|
||||
- name: Helm | Set up TLS
|
||||
include_tasks: "gen_helm_tiller_certs.yml"
|
||||
when:
|
||||
- tiller_enable_tls
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
|
||||
- name: Helm | Install client on all masters
|
||||
command: >
|
||||
{{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }}
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
--client-only
|
||||
environment: "{{ proxy_env }}"
|
||||
changed_when: false
|
||||
when:
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
|
||||
# FIXME: https://github.com/helm/helm/issues/6374
|
||||
- name: Helm | Install/upgrade helm
|
||||
shell: >
|
||||
set -o pipefail &&
|
||||
{{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }}
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
--upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }}
|
||||
{% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %}
|
||||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
|
||||
--override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}
|
||||
{% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %}
|
||||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
|
||||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
|
||||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
|
||||
--override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm'
|
||||
{% if tiller_wait %} --wait{% endif %}
|
||||
{% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %}
|
||||
--output yaml
|
||||
| sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@'
|
||||
| {{ bin_dir }}/kubectl apply -f -
|
||||
args:
|
||||
executable: /bin/bash
|
||||
register: install_helm
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
changed_when: false
|
||||
environment: "{{ proxy_env }}"
|
||||
|
||||
# FIXME: https://github.com/helm/helm/issues/4063
|
||||
- name: Helm | Force apply tiller overrides if necessary
|
||||
shell: >
|
||||
set -o pipefail &&
|
||||
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
|
||||
{% if helm_skip_refresh %} --skip-refresh{% endif %}
|
||||
{% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
|
||||
{% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %}
|
||||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
|
||||
--override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}
|
||||
{% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %}
|
||||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
|
||||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
|
||||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
|
||||
--override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm'
|
||||
{% if tiller_wait %} --wait{% endif %}
|
||||
{% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %}
|
||||
--output yaml
|
||||
| sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@'
|
||||
| {{ bin_dir }}/kubectl apply -f -
|
||||
args:
|
||||
executable: /bin/bash
|
||||
changed_when: false
|
||||
when:
|
||||
- inventory_hostname == groups['kube-master'][0]
|
||||
- helm_version is version('v3.0.0', '<')
|
||||
environment: "{{ proxy_env }}"
|
||||
|
||||
- name: Helm | Add/update stable repo on all masters
|
||||
command: "{{ bin_dir }}/helm repo add stable {{ helm_stable_repo_url }}"
|
||||
environment: "{{ proxy_env }}"
|
||||
when:
|
||||
- helm_version is version('v3.0.0', '>=')
|
||||
- helm_stable_repo_url is defined
|
||||
|
||||
- name: Make sure bash_completion.d folder exists # noqa 503
|
||||
file:
|
||||
name: "/etc/bash_completion.d/"
|
||||
state: directory
|
||||
when:
|
||||
- ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
|
||||
- ansible_os_family in ["ClearLinux"]
|
||||
|
||||
- name: Helm | Set up bash completion # noqa 503
|
||||
shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh"
|
||||
when:
|
||||
- ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
|
||||
- not ansible_os_family in ["Flatcar Container Linux by Kinvolk"]
|
||||
- name: Install helm completion
|
||||
copy:
|
||||
dest: /etc/bash_completion.d/helm.sh
|
||||
content: "{{ helm_completion.stdout }}"
|
||||
become: True
|
||||
when: stat_result.stat.exists
|
||||
|
||||
Reference in New Issue
Block a user