mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-05-09 02:17:39 -02:30
add option to secure helm tiller with tls
This commit is contained in:
georgejdli
committed by
Li, George (gl741q)
Li, George (gl741q)
parent
7bf09945f2
commit
b891d77679
107
roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
Normal file
107
roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
Normal file
@@ -0,0 +1,107 @@
|
||||
---
|
||||
- name: "Gen_helm_tiller_certs | Create helm config directory (on {{groups['kube-master'][0]}})"
|
||||
run_once: yes
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
file:
|
||||
path: "{{ helm_config_dir }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
|
||||
- name: "Gen_helm_tiller_certs | Create helm script directory (on {{groups['kube-master'][0]}})"
|
||||
run_once: yes
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
file:
|
||||
path: "{{ helm_script_dir }}"
|
||||
state: directory
|
||||
owner: kube
|
||||
|
||||
- name: Gen_helm_tiller_certs | Copy certs generation script
|
||||
run_once: yes
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
copy:
|
||||
src: "helm-make-ssl.sh"
|
||||
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
|
||||
mode: 0700
|
||||
|
||||
- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{groups['kube-master'][0]}})"
|
||||
find:
|
||||
paths: "{{ helm_home_dir }}"
|
||||
patterns: "*.pem"
|
||||
get_checksum: true
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
register: helmcert_master
|
||||
run_once: true
|
||||
|
||||
- name: Gen_helm_tiller_certs | run cert generation script
|
||||
run_once: yes
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
|
||||
|
||||
- set_fact:
|
||||
helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
|
||||
|
||||
- name: "Check_helm_client_certs | check if a cert already exists on master node"
|
||||
find:
|
||||
paths: "{{ helm_home_dir }}"
|
||||
patterns: "*.pem"
|
||||
get_checksum: true
|
||||
register: helmcert_node
|
||||
when: inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
|
||||
set_fact:
|
||||
sync_helm_certs: true
|
||||
when: inventory_hostname != groups['kube-master'][0] and
|
||||
(not item in helmcert_node.files | map(attribute='path') | map("basename") | list or
|
||||
helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
|
||||
with_items:
|
||||
- "{{ helm_client_certs }}"
|
||||
|
||||
- name: Gen_helm_tiller_certs | Gather helm client certs
|
||||
shell: "tar cfz - -C {{ helm_home_dir }} -T /dev/stdin <<< {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
|
||||
args:
|
||||
executable: /bin/bash
|
||||
no_log: true
|
||||
register: helm_client_cert_data
|
||||
check_mode: no
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
|
||||
tempfile:
|
||||
state: file
|
||||
path: /tmp
|
||||
prefix: helmcertsXXXXX
|
||||
suffix: tar.gz
|
||||
register: helm_cert_tempfile
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
|
||||
copy:
|
||||
content: "{{helm_client_cert_data.stdout}}"
|
||||
dest: "{{helm_cert_tempfile.path}}"
|
||||
owner: root
|
||||
mode: "0600"
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Unpack helm certs on masters
|
||||
shell: "base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
|
||||
no_log: true
|
||||
changed_when: false
|
||||
check_mode: no
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
|
||||
file:
|
||||
path: "{{helm_cert_tempfile.path}}"
|
||||
state: absent
|
||||
when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
|
||||
|
||||
- name: Gen_certs | check certificate permissions
|
||||
file:
|
||||
path: "{{ helm_home_dir }}"
|
||||
group: "{{ helm_cert_group }}"
|
||||
state: directory
|
||||
owner: "{{ helm_cert_owner }}"
|
||||
mode: "u=rwX,g-rwx,o-rwx"
|
||||
recurse: yes
|
||||
@@ -27,6 +27,11 @@
|
||||
with_items: "{{ manifests.results }}"
|
||||
when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
# Generate necessary certs for securing Helm and Tiller connection with TLS
|
||||
- name: Helm | Set up TLS
|
||||
include_tasks: "gen_helm_tiller_certs.yml"
|
||||
when: tiller_enable_tls
|
||||
|
||||
- name: Helm | Install/upgrade helm
|
||||
command: >
|
||||
{{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
|
||||
@@ -36,8 +41,11 @@
|
||||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
|
||||
{% if tiller_override is defined %} --override {{ tiller_override }}{% endif %}
|
||||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
|
||||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
|
||||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
|
||||
register: install_helm
|
||||
changed_when: false
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
# FIXME: https://github.com/helm/helm/issues/4063
|
||||
- name: Helm | Force apply tiller overrides if necessary
|
||||
@@ -49,9 +57,12 @@
|
||||
{% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
|
||||
{% if tiller_override is defined %} --override {{ tiller_override }}{% endif %}
|
||||
{% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
|
||||
{% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
|
||||
{% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
|
||||
| kubectl apply -f -
|
||||
changed_when: false
|
||||
when: tiller_override is defined
|
||||
environment: "{{proxy_env}}"
|
||||
|
||||
- name: Helm | Set up bash completion
|
||||
shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh"
|
||||
|
||||
Reference in New Issue
Block a user