summaryrefslogtreecommitdiffstats
path: root/ansible
diff options
context:
space:
mode:
Diffstat (limited to 'ansible')
-rwxr-xr-xansible/group_vars/infrastructure.yml2
-rw-r--r--ansible/roles/rke/defaults/main.yml55
-rw-r--r--ansible/roles/rke/molecule/default/playbook.yml4
-rw-r--r--ansible/roles/rke/templates/cluster.yml.j22
-rw-r--r--ansible/roles/rke/templates/k8s-dashboard-user.yml.j26
-rw-r--r--ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2283
-rw-r--r--ansible/test/roles/prepare-kubectl/defaults/main.yml2
-rw-r--r--ansible/test/roles/prepare-rke/defaults/main.yml4
8 files changed, 239 insertions, 119 deletions
diff --git a/ansible/group_vars/infrastructure.yml b/ansible/group_vars/infrastructure.yml
index fec242da..dd073735 100755
--- a/ansible/group_vars/infrastructure.yml
+++ b/ansible/group_vars/infrastructure.yml
@@ -19,7 +19,7 @@ all_simulated_hosts:
"{{ simulated_hosts.http + simulated_hosts.nexus }}"
populate_nexus: false
helm_bin_dir: /usr/local/bin
-helm_version: v2.12.3
+helm_version: v2.14.2
rancher_server_image: rancher/server:v1.6.22
vnc_server_image: consol/ubuntu-icewm-vnc:1.4.0
nexus3_image: sonatype/nexus3:3.15.2
diff --git a/ansible/roles/rke/defaults/main.yml b/ansible/roles/rke/defaults/main.yml
index d9c044b6..71c0c622 100644
--- a/ansible/roles/rke/defaults/main.yml
+++ b/ansible/roles/rke/defaults/main.yml
@@ -6,6 +6,7 @@ kube_config_dir: "{{ ansible_env.HOME }}/.kube"
cluster_config_dir: "{{ app_data_path }}/cluster"
# Whether dashboard is exposed.
rke_dashboard_exposed: true
+rke_dns: {}
rke_etcd:
# By default rke creates bind mount:
# /var/lib/etcd -> /var/lib/rancher/etcd
@@ -48,30 +49,30 @@ rke_etcd:
rke:
# rke (rancher) images
- etcd: rancher/coreos-etcd:v3.2.24-rancher1
- alpine: rancher/rke-tools:v0.1.27
- nginx_proxy: rancher/rke-tools:v0.1.27
- cert_downloader: rancher/rke-tools:v0.1.27
- kubernetes_services_sidecar: rancher/rke-tools:v0.1.27
- kubedns: rancher/k8s-dns-kube-dns:1.15.0
- dnsmasq: rancher/k8s-dns-dnsmasq-nanny:1.15.0
- kubedns_sidecar: rancher/k8s-dns-sidecar:1.15.0
- kubedns_autoscaler: rancher/cluster-proportional-autoscaler:1.0.0
- coredns: coredns/coredns:1.2.6
- coredns_autoscaler: rancher/cluster-proportional-autoscaler:1.0.0
- kubernetes: rancher/hyperkube:v1.13.5-rancher1
- flannel: rancher/coreos-flannel:v0.10.0-rancher1
- flannel_cni: rancher/flannel-cni:v0.3.0-rancher1
- calico_node: rancher/calico-node:v3.4.0
- calico_cni: rancher/calico-cni:v3.4.0
- calico_controllers: ""
- calico_ctl: rancher/calico-ctl:v2.0.0
- canal_node: rancher/calico-node:v3.4.0
- canal_cni: rancher/calico-cni:v3.4.0
- canal_flannel: rancher/coreos-flannel:v0.10.0
- weave_node: weaveworks/weave-kube:2.5.0
- weave_cni: weaveworks/weave-npc:2.5.0
- pod_infra_container: rancher/pause:3.1
- ingress: rancher/nginx-ingress-controller:0.21.0-rancher3
- ingress_backend: rancher/nginx-ingress-controller-defaultbackend:1.4-rancher1
- metrics_server: rancher/metrics-server:v0.3.1
+ etcd: "rancher/coreos-etcd:v3.3.10-rancher1"
+ alpine: "rancher/rke-tools:v0.1.50"
+ nginx_proxy: "rancher/rke-tools:v0.1.50"
+ cert_downloader: "rancher/rke-tools:v0.1.50"
+ kubernetes_services_sidecar: "rancher/rke-tools:v0.1.50"
+ kubedns: "rancher/k8s-dns-kube-dns:1.15.0"
+ dnsmasq: "rancher/k8s-dns-dnsmasq-nanny:1.15.0"
+ kubedns_sidecar: "rancher/k8s-dns-sidecar:1.15.0"
+ kubedns_autoscaler: "rancher/cluster-proportional-autoscaler:1.3.0"
+ coredns: "rancher/coredns-coredns:1.3.1"
+ coredns_autoscaler: "rancher/cluster-proportional-autoscaler:1.3.0"
+ kubernetes: "rancher/hyperkube:v1.15.4-rancher1"
+ flannel: "rancher/coreos-flannel:v0.11.0-rancher1"
+ flannel_cni: "rancher/flannel-cni:v0.3.0-rancher5"
+ calico_node: "rancher/calico-node:v3.7.4"
+ calico_cni: "rancher/calico-cni:v3.7.4"
+ calico_controllers: "rancher/calico-kube-controllers:v3.7.4"
+ calico_ctl: "rancher/calico-ctl:v2.0.0"
+ canal_node: "rancher/calico-node:v3.7.4"
+ canal_cni: "rancher/calico-cni:v3.7.4"
+ canal_flannel: "rancher/coreos-flannel:v0.11.0"
+ weave_node: "weaveworks/weave-kube:2.5.2"
+ weave_cni: "weaveworks/weave-npc:2.5.2"
+ pod_infra_container: "rancher/pause:3.1"
+ ingress: "rancher/nginx-ingress-controller:nginx-0.25.1-rancher1"
+ ingress_backend: "rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1"
+ metrics_server: "rancher/metrics-server:v0.3.3"
diff --git a/ansible/roles/rke/molecule/default/playbook.yml b/ansible/roles/rke/molecule/default/playbook.yml
index fab7a0d0..33345ed9 100644
--- a/ansible/roles/rke/molecule/default/playbook.yml
+++ b/ansible/roles/rke/molecule/default/playbook.yml
@@ -11,6 +11,10 @@
roles:
- role: rke
vars:
+ rke_dns:
+ provider: coredns
+ upstreamnameservers:
+ - 8.8.8.8
mode: config
- name: Prepare kubernetes hosts (RKE)
diff --git a/ansible/roles/rke/templates/cluster.yml.j2 b/ansible/roles/rke/templates/cluster.yml.j2
index 51f4e28b..656c1136 100644
--- a/ansible/roles/rke/templates/cluster.yml.j2
+++ b/ansible/roles/rke/templates/cluster.yml.j2
@@ -151,4 +151,4 @@ monitoring:
restore:
restore: false
snapshot_name: ""
-dns: null
+dns: {{ rke_dns }}
diff --git a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2 b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2
index 9031553c..5d7a55a7 100644
--- a/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2
+++ b/ansible/roles/rke/templates/k8s-dashboard-user.yml.j2
@@ -3,9 +3,9 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
- namespace: kube-system
+ namespace: kubernetes-dashboard
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
@@ -16,4 +16,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: admin-user
- namespace: kube-system \ No newline at end of file
+ namespace: kubernetes-dashboard
diff --git a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2 b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2
index 4458628a..7dd9692c 100644
--- a/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2
+++ b/ansible/roles/rke/templates/kubernetes-dashboard.yaml.j2
@@ -12,7 +12,41 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-# ------------------- Dashboard Secrets ------------------- #
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: kubernetes-dashboard
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
+spec:
+ ports:
+ - port: 443
+ targetPort: 8443
+ selector:
+ k8s-app: kubernetes-dashboard
+{% if rke_dashboard_exposed %}
+ type: NodePort
+{% endif %}
+
+---
apiVersion: v1
kind: Secret
@@ -20,7 +54,7 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
- namespace: kube-system
+ namespace: kubernetes-dashboard
type: Opaque
---
@@ -31,76 +65,114 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
- namespace: kube-system
+ namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
-# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
-kind: ServiceAccount
+kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kube-system
+ name: kubernetes-dashboard-key-holder
+ namespace: kubernetes-dashboard
+type: Opaque
+
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard-settings
+ namespace: kubernetes-dashboard
---
-# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: kubernetes-dashboard-minimal
- namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
rules:
- # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
-- apiGroups: [""]
- resources: ["secrets"]
- verbs: ["create"]
- # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
-- apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
-- apiGroups: [""]
- resources: ["secrets"]
- resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
- verbs: ["get", "update", "delete"]
- # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
-- apiGroups: [""]
- resources: ["configmaps"]
- resourceNames: ["kubernetes-dashboard-settings"]
- verbs: ["get", "update"]
- # Allow Dashboard to get metrics from heapster.
-- apiGroups: [""]
- resources: ["services"]
- resourceNames: ["heapster"]
- verbs: ["proxy"]
-- apiGroups: [""]
- resources: ["services/proxy"]
- resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
- verbs: ["get"]
+ - apiGroups: [""]
+ resources: ["secrets"]
+ resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+ verbs: ["get", "update", "delete"]
+ # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ resourceNames: ["kubernetes-dashboard-settings"]
+ verbs: ["get", "update"]
+ # Allow Dashboard to get metrics.
+ - apiGroups: [""]
+ resources: ["services"]
+ resourceNames: ["heapster", "dashboard-metrics-scraper"]
+ verbs: ["proxy"]
+ - apiGroups: [""]
+ resources: ["services/proxy"]
+ resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+ verbs: ["get"]
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+rules:
+ # Allow Metrics Scraper to get metrics from the Metrics server
+ - apiGroups: ["metrics.k8s.io"]
+ resources: ["pods", "nodes","namespaces","secrets","persistentvolumeclaims"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["","apps"]
+ resources: ["pods", "nodes","namespaces","secrets","persistentvolumeclaims","replicasets","deployments","events"]
+ verbs: ["get", "list", "watch"]
---
+
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: kubernetes-dashboard-minimal
- namespace: kube-system
+ labels:
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
- name: kubernetes-dashboard-minimal
+ name: kubernetes-dashboard
subjects:
-- kind: ServiceAccount
+ - kind: ServiceAccount
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
name: kubernetes-dashboard
- namespace: kube-system
+subjects:
+ - kind: ServiceAccount
+ name: kubernetes-dashboard
+ namespace: kubernetes-dashboard
---
-# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
@@ -108,7 +180,7 @@ metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
- namespace: kube-system
+ namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
@@ -121,58 +193,101 @@ spec:
k8s-app: kubernetes-dashboard
spec:
containers:
- - name: kubernetes-dashboard
- image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
- ports:
- - containerPort: 8443
- protocol: TCP
- args:
- - --auto-generate-certificates
- # Uncomment the following line to manually specify Kubernetes API server Host
- # If not specified, Dashboard will attempt to auto discover the API server and connect
- # to it. Uncomment only if the default does not work.
- # - --apiserver-host=http://my-address:port
- volumeMounts:
- - name: kubernetes-dashboard-certs
- mountPath: /certs
- # Create on-disk volume to store exec logs
- - mountPath: /tmp
- name: tmp-volume
- livenessProbe:
- httpGet:
- scheme: HTTPS
- path: /
- port: 8443
- initialDelaySeconds: 30
- timeoutSeconds: 30
+ - name: kubernetes-dashboard
+ image: kubernetesui/dashboard:v2.0.0-beta4
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 8443
+ protocol: TCP
+ args:
+ - --auto-generate-certificates
+ - --namespace=kubernetes-dashboard
+ # Uncomment the following line to manually specify Kubernetes API server Host
+ # If not specified, Dashboard will attempt to auto discover the API server and connect
+ # to it. Uncomment only if the default does not work.
+ # - --apiserver-host=http://my-address:port
+ volumeMounts:
+ - name: kubernetes-dashboard-certs
+ mountPath: /certs
+ # Create on-disk volume to store exec logs
+ - mountPath: /tmp
+ name: tmp-volume
+ livenessProbe:
+ httpGet:
+ scheme: HTTPS
+ path: /
+ port: 8443
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
volumes:
- - name: kubernetes-dashboard-certs
- secret:
- secretName: kubernetes-dashboard-certs
- - name: tmp-volume
- emptyDir: {}
+ - name: kubernetes-dashboard-certs
+ secret:
+ secretName: kubernetes-dashboard-certs
+ - name: tmp-volume
+ emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
---
-# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
- k8s-app: kubernetes-dashboard
- name: kubernetes-dashboard
- namespace: kube-system
+ k8s-app: dashboard-metrics-scraper
+ name: dashboard-metrics-scraper
+ namespace: kubernetes-dashboard
spec:
ports:
- - port: 443
- targetPort: 8443
+ - port: 8000
+ targetPort: 8000
selector:
- k8s-app: kubernetes-dashboard
-{% if rke_dashboard_exposed %}
- type: NodePort
-{% endif %}
+ k8s-app: dashboard-metrics-scraper
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+ labels:
+ k8s-app: dashboard-metrics-scraper
+ name: dashboard-metrics-scraper
+ namespace: kubernetes-dashboard
+spec:
+ replicas: 1
+ revisionHistoryLimit: 10
+ selector:
+ matchLabels:
+ k8s-app: dashboard-metrics-scraper
+ template:
+ metadata:
+ labels:
+ k8s-app: dashboard-metrics-scraper
+ spec:
+ containers:
+ - name: dashboard-metrics-scraper
+ image: kubernetesui/metrics-scraper:v1.0.1
+ ports:
+ - containerPort: 8000
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ scheme: HTTP
+ path: /
+ port: 8000
+ initialDelaySeconds: 30
+ timeoutSeconds: 30
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp-volume
+ serviceAccountName: kubernetes-dashboard
+ # Comment the following tolerations if Dashboard must not be deployed on master
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ effect: NoSchedule
+ volumes:
+ - name: tmp-volume
+ emptyDir: {}
diff --git a/ansible/test/roles/prepare-kubectl/defaults/main.yml b/ansible/test/roles/prepare-kubectl/defaults/main.yml
index d4e8ef94..aeb09198 100644
--- a/ansible/test/roles/prepare-kubectl/defaults/main.yml
+++ b/ansible/test/roles/prepare-kubectl/defaults/main.yml
@@ -4,4 +4,4 @@
# cases where it is used by verification tests of other roles).
kubectl_install: false
# Kubectl version.
-kubectl_version: 1.13.5
+kubectl_version: 1.15.4
diff --git a/ansible/test/roles/prepare-rke/defaults/main.yml b/ansible/test/roles/prepare-rke/defaults/main.yml
index 2cf85635..28ec779b 100644
--- a/ansible/test/roles/prepare-rke/defaults/main.yml
+++ b/ansible/test/roles/prepare-rke/defaults/main.yml
@@ -1,5 +1,5 @@
---
#The rke version.
-rke_version: 0.2.0
+rke_version: 0.3.0
#The kubectl version.
-kubectl_version: 1.13.5
+kubectl_version: 1.15.4