summaryrefslogtreecommitdiffstats
path: root/ansible/roles/rke
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/rke')
-rw-r--r--ansible/roles/rke/defaults/main.yml2
-rw-r--r--ansible/roles/rke/tasks/rke_config.yml10
-rw-r--r--ansible/roles/rke/templates/cluster.yml.j24
-rw-r--r--ansible/roles/rke/templates/k8s-dashboard-user.yml.j219
-rw-r--r--ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2178
5 files changed, 212 insertions, 1 deletions
diff --git a/ansible/roles/rke/defaults/main.yml b/ansible/roles/rke/defaults/main.yml
index cbf03b74..88216857 100644
--- a/ansible/roles/rke/defaults/main.yml
+++ b/ansible/roles/rke/defaults/main.yml
@@ -4,6 +4,8 @@ rke_username: rke
rke_bin_dir: /usr/local/bin
kube_config_dir: "{{ ansible_env.HOME }}/.kube"
cluster_config_dir: "{{ app_data_path }}/cluster"
+# Whether dashboard is exposed.
+rke_dashboard_exposed: true
rke:
# rke (rancher) images
etcd: rancher/coreos-etcd:v3.2.24-rancher1
diff --git a/ansible/roles/rke/tasks/rke_config.yml b/ansible/roles/rke/tasks/rke_config.yml
index 49503192..4112e107 100644
--- a/ansible/roles/rke/tasks/rke_config.yml
+++ b/ansible/roles/rke/tasks/rke_config.yml
@@ -38,6 +38,16 @@
src: cluster.yml.j2
dest: "{{ cluster_config_dir }}/cluster.yml"
+- name: Prepare rke addon manifest (dashboard)
+ template:
+ src: kubernetes-dashboard.yaml.j2
+ dest: "{{ cluster_config_dir }}/kubernetes-dashboard.yml"
+
+- name: Prepare rke addon manifest (dashboard user)
+ template:
+ src: k8s-dashboard-user.yml.j2
+ dest: "{{ cluster_config_dir }}/k8s-dashboard-user.yml"
+
- name: Install rke cli tool
copy:
src: "{{ app_data_path }}/downloads/{{ rke_binary }}"
diff --git a/ansible/roles/rke/templates/cluster.yml.j2 b/ansible/roles/rke/templates/cluster.yml.j2
index d55a486c..64508e6f 100644
--- a/ansible/roles/rke/templates/cluster.yml.j2
+++ b/ansible/roles/rke/templates/cluster.yml.j2
@@ -80,7 +80,9 @@ authentication:
sans: []
webhook: null
addons: ""
-addons_include: []
+addons_include:
+- "{{ cluster_config_dir }}/kubernetes-dashboard.yml"
+- "{{ cluster_config_dir }}/k8s-dashboard-user.yml"
system_images:
etcd: "{{ rke.etcd }}"
alpine: "{{ rke.alpine }}"
diff --git a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2
new file mode 100644
index 00000000..9031553c
--- /dev/null
+++ b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2
@@ -0,0 +1,19 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: admin-user
+ namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: admin-user
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+- kind: ServiceAccount
+ name: admin-user
+ namespace: kube-system \ No newline at end of file
diff --git a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2
new file mode 100644
index 00000000..4458628a
--- /dev/null
+++ b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2
@@ -0,0 +1,178 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------------------- Dashboard Secrets ------------------- #
+
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard-certs
+ namespace: kube-system
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard-csrf
+ namespace: kube-system
+type: Opaque
+data:
+ csrf: ""
+
+---
+# ------------------- Dashboard Service Account ------------------- #
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
+
+---
+# ------------------- Dashboard Role & Role Binding ------------------- #
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: kubernetes-dashboard-minimal
+ namespace: kube-system
+rules:
+ # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create"]
+ # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create"]
+ # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+- apiGroups: [""]
+ resources: ["secrets"]
+ resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+ verbs: ["get", "update", "delete"]
+ # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+- apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["kubernetes-dashboard-settings"]
+ verbs: ["get", "update"]
+ # Allow Dashboard to get metrics from heapster.
+- apiGroups: [""]
+ resources: ["services"]
+ resourceNames: ["heapster"]
+ verbs: ["proxy"]
+- apiGroups: [""]
+ resources: ["services/proxy"]
+ resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
+ verbs: ["get"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: kubernetes-dashboard-minimal
+ namespace: kube-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: kubernetes-dashboard-minimal
+subjects:
+- kind: ServiceAccount
+ name: kubernetes-dashboard
+ namespace: kube-system
+
+---
+# ------------------- Dashboard Deployment ------------------- #
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
+spec:
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ k8s-app: kubernetes-dashboard
+ template:
+ metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ spec:
+ containers:
+ - name: kubernetes-dashboard
+ image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
+ ports:
+ - containerPort: 8443
+ protocol: TCP
+ args:
+ - --auto-generate-certificates
+ # Uncomment the following line to manually specify Kubernetes API server Host
+ # If not specified, Dashboard will attempt to auto discover the API server and connect
+ # to it. Uncomment only if the default does not work.
+ # - --apiserver-host=http://my-address:port
+ volumeMounts:
+ - name: kubernetes-dashboard-certs
+ mountPath: /certs
+ # Create on-disk volume to store exec logs
+ - mountPath: /tmp
+ name: tmp-volume
+ livenessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /
+ port: 8443
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+ volumes:
+ - name: kubernetes-dashboard-certs
+ secret:
+ secretName: kubernetes-dashboard-certs
+ - name: tmp-volume
+ emptyDir: {}
+ serviceAccountName: kubernetes-dashboard
+ # Comment the following tolerations if Dashboard must not be deployed on master
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+
+---
+# ------------------- Dashboard Service ------------------- #
+
+kind: Service
+apiVersion: v1
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
+spec:
+ ports:
+ - port: 443
+ targetPort: 8443
+ selector:
+ k8s-app: kubernetes-dashboard
+{% if rke_dashboard_exposed %}
+ type: NodePort
+{% endif %}