diff options
-rwxr-xr-x | ansible/group_vars/infrastructure.yml | 1 | ||||
-rw-r--r-- | ansible/roles/rke/defaults/main.yml | 2 | ||||
-rw-r--r-- | ansible/roles/rke/tasks/rke_config.yml | 10 | ||||
-rw-r--r-- | ansible/roles/rke/templates/cluster.yml.j2 | 4 | ||||
-rw-r--r-- | ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 | 19 | ||||
-rw-r--r-- | ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 | 178 |
6 files changed, 213 insertions, 1 deletions
diff --git a/ansible/group_vars/infrastructure.yml b/ansible/group_vars/infrastructure.yml index d831cdba..a812d6b0 100755 --- a/ansible/group_vars/infrastructure.yml +++ b/ansible/group_vars/infrastructure.yml @@ -17,6 +17,7 @@ simulated_hosts: - docker.elastic.co - docker.io - gcr.io + - k8s.gcr.io - nexus.{{ ansible_nodename }} - nexus3.onap.org - registry-1.docker.io diff --git a/ansible/roles/rke/defaults/main.yml b/ansible/roles/rke/defaults/main.yml index cbf03b74..88216857 100644 --- a/ansible/roles/rke/defaults/main.yml +++ b/ansible/roles/rke/defaults/main.yml @@ -4,6 +4,8 @@ rke_username: rke rke_bin_dir: /usr/local/bin kube_config_dir: "{{ ansible_env.HOME }}/.kube" cluster_config_dir: "{{ app_data_path }}/cluster" +# Whether dashboard is exposed. +rke_dashboard_exposed: true rke: # rke (rancher) images etcd: rancher/coreos-etcd:v3.2.24-rancher1 diff --git a/ansible/roles/rke/tasks/rke_config.yml b/ansible/roles/rke/tasks/rke_config.yml index 49503192..4112e107 100644 --- a/ansible/roles/rke/tasks/rke_config.yml +++ b/ansible/roles/rke/tasks/rke_config.yml @@ -38,6 +38,16 @@ src: cluster.yml.j2 dest: "{{ cluster_config_dir }}/cluster.yml" +- name: Prepare rke addon manifest (dashboard) + template: + src: kubernetes-dashboard.yaml.j2 + dest: "{{ cluster_config_dir }}/kubernetes-dashboard.yml" + +- name: Prepare rke addon manifest (dashboard user) + template: + src: k8s-dashboard-user.yml.j2 + dest: "{{ cluster_config_dir }}/k8s-dashboard-user.yml" + - name: Install rke cli tool copy: src: "{{ app_data_path }}/downloads/{{ rke_binary }}" diff --git a/ansible/roles/rke/templates/cluster.yml.j2 b/ansible/roles/rke/templates/cluster.yml.j2 index d55a486c..64508e6f 100644 --- a/ansible/roles/rke/templates/cluster.yml.j2 +++ b/ansible/roles/rke/templates/cluster.yml.j2 @@ -80,7 +80,9 @@ authentication: sans: [] webhook: null addons: "" -addons_include: [] +addons_include: +- "{{ cluster_config_dir }}/kubernetes-dashboard.yml" +- "{{ cluster_config_dir }}/k8s-dashboard-user.yml" system_images: etcd: "{{ rke.etcd }}" alpine: "{{ rke.alpine }}" diff --git a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 new file mode 100644 index 00000000..9031553c --- /dev/null +++ b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin-user + namespace: kube-system
\ No newline at end of file diff --git a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 new file mode 100644 index 00000000..4458628a --- /dev/null +++ b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 @@ -0,0 +1,178 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ------------------- Dashboard Secrets ------------------- # + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kube-system +type: Opaque + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kube-system +type: Opaque +data: + csrf: "" + +--- +# ------------------- Dashboard Service Account ------------------- # + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Role & Role Binding ------------------- # + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +rules: + # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create"] + # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. +- apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. +- apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics from heapster. +- apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster"] + verbs: ["proxy"] +- apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kubernetes-dashboard-minimal + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard-minimal +subjects: +- kind: ServiceAccount + name: kubernetes-dashboard + namespace: kube-system + +--- +# ------------------- Dashboard Deployment ------------------- # + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- +# ------------------- Dashboard Service ------------------- # + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard +{% if rke_dashboard_exposed %} + type: NodePort +{% endif %} |