diff options
Diffstat (limited to 'ansible')
-rwxr-xr-x | ansible/group_vars/infrastructure.yml | 2 | ||||
-rw-r--r-- | ansible/roles/rke/defaults/main.yml | 55 | ||||
-rw-r--r-- | ansible/roles/rke/molecule/default/playbook.yml | 4 | ||||
-rw-r--r-- | ansible/roles/rke/templates/cluster.yml.j2 | 2 | ||||
-rw-r--r-- | ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 | 6 | ||||
-rw-r--r-- | ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 | 283 | ||||
-rw-r--r-- | ansible/test/roles/prepare-kubectl/defaults/main.yml | 2 | ||||
-rw-r--r-- | ansible/test/roles/prepare-rke/defaults/main.yml | 4 |
8 files changed, 239 insertions, 119 deletions
diff --git a/ansible/group_vars/infrastructure.yml b/ansible/group_vars/infrastructure.yml index fec242da..dd073735 100755 --- a/ansible/group_vars/infrastructure.yml +++ b/ansible/group_vars/infrastructure.yml @@ -19,7 +19,7 @@ all_simulated_hosts: "{{ simulated_hosts.http + simulated_hosts.nexus }}" populate_nexus: false helm_bin_dir: /usr/local/bin -helm_version: v2.12.3 +helm_version: v2.14.2 rancher_server_image: rancher/server:v1.6.22 vnc_server_image: consol/ubuntu-icewm-vnc:1.4.0 nexus3_image: sonatype/nexus3:3.15.2 diff --git a/ansible/roles/rke/defaults/main.yml b/ansible/roles/rke/defaults/main.yml index d9c044b6..71c0c622 100644 --- a/ansible/roles/rke/defaults/main.yml +++ b/ansible/roles/rke/defaults/main.yml @@ -6,6 +6,7 @@ kube_config_dir: "{{ ansible_env.HOME }}/.kube" cluster_config_dir: "{{ app_data_path }}/cluster" # Whether dashboard is exposed. rke_dashboard_exposed: true +rke_dns: {} rke_etcd: # By default rke creates bind mount: # /var/lib/etcd -> /var/lib/rancher/etcd @@ -48,30 +49,30 @@ rke_etcd: rke: # rke (rancher) images - etcd: rancher/coreos-etcd:v3.2.24-rancher1 - alpine: rancher/rke-tools:v0.1.27 - nginx_proxy: rancher/rke-tools:v0.1.27 - cert_downloader: rancher/rke-tools:v0.1.27 - kubernetes_services_sidecar: rancher/rke-tools:v0.1.27 - kubedns: rancher/k8s-dns-kube-dns:1.15.0 - dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.0 - kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.0 - kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.0.0 - coredns: coredns/coredns:1.2.6 - coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.0.0 - kubernetes: rancher/hyperkube:v1.13.5-rancher1 - flannel: rancher/coreos-flannel:v0.10.0-rancher1 - flannel_cni: rancher/flannel-cni:v0.3.0-rancher1 - calico_node: rancher/calico-node:v3.4.0 - calico_cni: rancher/calico-cni:v3.4.0 - calico_controllers: "" - calico_ctl: rancher/calico-ctl:v2.0.0 - canal_node: rancher/calico-node:v3.4.0 - canal_cni: rancher/calico-cni:v3.4.0 - canal_flannel: rancher/coreos-flannel:v0.10.0 - weave_node: weaveworks/weave-kube:2.5.0 - weave_cni: weaveworks/weave-npc:2.5.0 - pod_infra_container: rancher/pause:3.1 - ingress: rancher/nginx-ingress-controller:0.21.0-rancher3 - ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.4-rancher1 - metrics_server: rancher/metrics-server:v0.3.1 + etcd: "rancher/coreos-etcd:v3.3.10-rancher1" + alpine: "rancher/rke-tools:v0.1.50" + nginx_proxy: "rancher/rke-tools:v0.1.50" + cert_downloader: "rancher/rke-tools:v0.1.50" + kubernetes_services_sidecar: "rancher/rke-tools:v0.1.50" + kubedns: "rancher/k8s-dns-kube-dns:1.15.0" + dnsmasq: "rancher/k8s-dns-dnsmasq-nanny:1.15.0" + kubedns_sidecar: "rancher/k8s-dns-sidecar:1.15.0" + kubedns_autoscaler: "rancher/cluster-proportional-autoscaler:1.3.0" + coredns: "rancher/coredns-coredns:1.3.1" + coredns_autoscaler: "rancher/cluster-proportional-autoscaler:1.3.0" + kubernetes: "rancher/hyperkube:v1.15.4-rancher1" + flannel: "rancher/coreos-flannel:v0.11.0-rancher1" + flannel_cni: "rancher/flannel-cni:v0.3.0-rancher5" + calico_node: "rancher/calico-node:v3.7.4" + calico_cni: "rancher/calico-cni:v3.7.4" + calico_controllers: "rancher/calico-kube-controllers:v3.7.4" + calico_ctl: "rancher/calico-ctl:v2.0.0" + canal_node: "rancher/calico-node:v3.7.4" + canal_cni: "rancher/calico-cni:v3.7.4" + canal_flannel: "rancher/coreos-flannel:v0.11.0" + weave_node: "weaveworks/weave-kube:2.5.2" + weave_cni: "weaveworks/weave-npc:2.5.2" + pod_infra_container: "rancher/pause:3.1" + ingress: "rancher/nginx-ingress-controller:nginx-0.25.1-rancher1" + ingress_backend: "rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1" + metrics_server: "rancher/metrics-server:v0.3.3" diff --git a/ansible/roles/rke/molecule/default/playbook.yml b/ansible/roles/rke/molecule/default/playbook.yml index fab7a0d0..33345ed9 100644 --- a/ansible/roles/rke/molecule/default/playbook.yml +++ b/ansible/roles/rke/molecule/default/playbook.yml @@ -11,6 +11,10 @@ roles: - role: rke vars: + rke_dns: + provider: coredns + upstreamnameservers: + - 8.8.8.8 mode: config - name: Prepare kubernetes hosts (RKE) diff --git a/ansible/roles/rke/templates/cluster.yml.j2 b/ansible/roles/rke/templates/cluster.yml.j2 index 51f4e28b..656c1136 100644 --- a/ansible/roles/rke/templates/cluster.yml.j2 +++ b/ansible/roles/rke/templates/cluster.yml.j2 @@ -151,4 +151,4 @@ monitoring: restore: restore: false snapshot_name: "" -dns: null +dns: {{ rke_dns }} diff --git a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 index 9031553c..5d7a55a7 100644 --- a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 +++ b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 @@ -3,9 +3,9 @@ apiVersion: v1 kind: ServiceAccount metadata: name: admin-user - namespace: kube-system + namespace: kubernetes-dashboard --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user @@ -16,4 +16,4 @@ roleRef: subjects: - kind: ServiceAccount name: admin-user - namespace: kube-system
\ No newline at end of file + namespace: kubernetes-dashboard diff --git a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 index 4458628a..7dd9692c 100644 --- a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 +++ b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 @@ -12,7 +12,41 @@ # See the License for the specific language governing permissions and # limitations under the License. -# ------------------- Dashboard Secrets ------------------- # +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard +{% if rke_dashboard_exposed %} + type: NodePort +{% endif %} + +--- apiVersion: v1 kind: Secret @@ -20,7 +54,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs - namespace: kube-system + namespace: kubernetes-dashboard type: Opaque --- @@ -31,76 +65,114 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf - namespace: kube-system + namespace: kubernetes-dashboard type: Opaque data: csrf: "" --- -# ------------------- Dashboard Service Account ------------------- # apiVersion: v1 -kind: ServiceAccount +kind: Secret metadata: labels: k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard --- -# ------------------- Dashboard Role & Role Binding ------------------- # kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard rules: - # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret. -- apiGroups: [""] - resources: ["secrets"] - verbs: ["create"] - # Allow Dashboard to create 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] # Allow Dashboard to get, update and delete Dashboard exclusive secrets. -- apiGroups: [""] - resources: ["secrets"] - resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] - verbs: ["get", "update", "delete"] - # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. -- apiGroups: [""] - resources: ["configmaps"] - resourceNames: ["kubernetes-dashboard-settings"] - verbs: ["get", "update"] - # Allow Dashboard to get metrics from heapster. -- apiGroups: [""] - resources: ["services"] - resourceNames: ["heapster"] - verbs: ["proxy"] -- apiGroups: [""] - resources: ["services/proxy"] - resourceNames: ["heapster", "http:heapster:", "https:heapster:"] - verbs: ["get"] + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes","namespaces","secrets","persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: ["","apps"] + resources: ["pods", "nodes","namespaces","secrets","persistentvolumeclaims","replicasets","deployments","events"] + verbs: ["get", "list", "watch"] --- + apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: kubernetes-dashboard-minimal - namespace: kube-system + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kubernetes-dashboard-minimal + name: kubernetes-dashboard subjects: -- kind: ServiceAccount + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole name: kubernetes-dashboard - namespace: kube-system +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard --- -# ------------------- Dashboard Deployment ------------------- # kind: Deployment apiVersion: apps/v1 @@ -108,7 +180,7 @@ metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard - namespace: kube-system + namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 @@ -121,58 +193,101 @@ spec: k8s-app: kubernetes-dashboard spec: containers: - - name: kubernetes-dashboard - image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 - ports: - - containerPort: 8443 - protocol: TCP - args: - - --auto-generate-certificates - # Uncomment the following line to manually specify Kubernetes API server Host - # If not specified, Dashboard will attempt to auto discover the API server and connect - # to it. Uncomment only if the default does not work. - # - --apiserver-host=http://my-address:port - volumeMounts: - - name: kubernetes-dashboard-certs - mountPath: /certs - # Create on-disk volume to store exec logs - - mountPath: /tmp - name: tmp-volume - livenessProbe: - httpGet: - scheme: HTTPS - path: / - port: 8443 - initialDelaySeconds: 30 - timeoutSeconds: 30 + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.0.0-beta4 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 volumes: - - name: kubernetes-dashboard-certs - secret: - secretName: kubernetes-dashboard-certs - - name: tmp-volume - emptyDir: {} + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} serviceAccountName: kubernetes-dashboard # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule + - key: node-role.kubernetes.io/master + effect: NoSchedule --- -# ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: - k8s-app: kubernetes-dashboard - name: kubernetes-dashboard - namespace: kube-system + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard spec: ports: - - port: 443 - targetPort: 8443 + - port: 8000 + targetPort: 8000 selector: - k8s-app: kubernetes-dashboard -{% if rke_dashboard_exposed %} - type: NodePort -{% endif %} + k8s-app: dashboard-metrics-scraper + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + spec: + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.1 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} diff --git a/ansible/test/roles/prepare-kubectl/defaults/main.yml b/ansible/test/roles/prepare-kubectl/defaults/main.yml index d4e8ef94..aeb09198 100644 --- a/ansible/test/roles/prepare-kubectl/defaults/main.yml +++ b/ansible/test/roles/prepare-kubectl/defaults/main.yml @@ -4,4 +4,4 @@ # cases where it is used by verification tests of other roles). kubectl_install: false # Kubectl version. -kubectl_version: 1.13.5 +kubectl_version: 1.15.4 diff --git a/ansible/test/roles/prepare-rke/defaults/main.yml b/ansible/test/roles/prepare-rke/defaults/main.yml index 2cf85635..28ec779b 100644 --- a/ansible/test/roles/prepare-rke/defaults/main.yml +++ b/ansible/test/roles/prepare-rke/defaults/main.yml @@ -1,5 +1,5 @@ --- #The rke version. -rke_version: 0.2.0 +rke_version: 0.3.0 #The kubectl version. -kubectl_version: 1.13.5 +kubectl_version: 1.15.4 |