diff --git a/docs/offline-environment.md b/docs/offline-environment.md
index de8a9c8cb7bcf95a752ba7b817d66588077fa2ca..9e743997cfb0f87cff49dde71910f76366d4b77f 100644
--- a/docs/offline-environment.md
+++ b/docs/offline-environment.md
@@ -62,9 +62,6 @@ docker_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/docker-ce/gpg"
containerd_ubuntu_repo_base_url: "{{ ubuntu_repo }}/containerd"
containerd_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/containerd/gpg"
containerd_ubuntu_repo_repokey: 'YOURREPOKEY'
-
-# If using helm
-helm_stable_repo_url: "{{ helm_registry }}"
```
For the OS specific settings, just define the one matching your OS.
@@ -73,7 +70,6 @@ If you use the settings like the one above, you'll need to define in your invent
* `registry_host`: Container image registry. If you _don't_ use the same repository path for the container images that the ones defined in [Download's role defaults](https://github.com/kubernetes-sigs/kubespray/blob/master/roles/download/defaults/main.yml), you need to override the `*_image_repo` for these container images. If you want to make your life easier, use the same repository path, you won't have to override anything else.
* `files_repo`: HTTP webserver or reverse proxy that is able to serve the files listed above. Path is not important, you can store them anywhere as long as it's accessible by kubespray. It's recommended to use `*_version` in the path so that you don't need to modify this setting everytime kubespray upgrades one of these components.
* `yum_repo`/`debian_repo`/`ubuntu_repo`: OS package repository depending of your OS, should point to your internal repository. Adjust the path accordingly.
-* `helm_registry`: Helm Registry to use for `stable` Helm Charts if `helm_enabled: true`
## Install Kubespray Python Packages
diff --git a/docs/vars.md b/docs/vars.md
index 2c40ab0e782fb1c243909772ca7ab9d4694a27a6..dbcf98713f3d6839ee19faf46a1ec3d15f2f43a7 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -202,5 +202,4 @@ in the form of dicts of key-value pairs of configuration parameters that will be
## App variables
-* *helm_version* - Defaults to v3.x, set to a v2 version (e.g. `v2.16.1` ) to install Helm 2.x (will install Tiller!).
-Picking v3 for an existing cluster running Tiller will leave it alone. In that case you will have to remove Tiller manually afterwards.
+* *helm_version* - Only supports v3.x. Existing v2 installs (with Tiller) will not be modified and need to be removed manually.
diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index b218924470a32dcd738cc8d642a180b776f1572e..71dcd98c53f6f25a87d89cef3d3876db1a0c2b46 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -204,8 +204,6 @@ kata_containers_enabled: false
# containerd_untrusted_runtime_engine: ''
# containerd_untrusted_runtime_root: ''
-helm_deployment_type: host
-
kubeadm_certificate_key: "{{ lookup('password', credentials_dir + '/kubeadm_certificate_key.creds length=64 chars=hexdigits') | lower }}"
# K8s image pull policy (imagePullPolicy)
diff --git a/inventory/sample/group_vars/k8s-cluster/offline.yml b/inventory/sample/group_vars/k8s-cluster/offline.yml
index 65a85c91a7de0afdcb64feb723975c2da62ae40f..22f322863e12d357da9dd54881cd15c34c65291a 100644
--- a/inventory/sample/group_vars/k8s-cluster/offline.yml
+++ b/inventory/sample/group_vars/k8s-cluster/offline.yml
@@ -66,6 +66,3 @@
# containerd_ubuntu_repo_base_url: "{{ ubuntu_repo }}/containerd"
# containerd_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/containerd/gpg"
# containerd_ubuntu_repo_repokey: 'YOURREPOKEY'
-
-# [Optiona] Helm: if helm_enabled: true in addons.yml
-# helm_stable_repo_url: "{{ helm_registry }}"
\ No newline at end of file
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 068a48bf8aaae54f2dd6bd01d7ac426a8ef10535..e722299145e44b7c1c3043695175e9cbe21d483a 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -84,6 +84,7 @@ kube_router_version: "v1.1.0"
multus_version: "v3.6"
ovn4nfv_ovn_image_version: "v1.0.0"
ovn4nfv_k8s_plugin_image_version: "v1.1.0"
+helm_version: "v3.3.4"
# Get kubernetes major version (i.e. 1.17.4 => 1.17)
kube_major_version: "{{ kube_version | regex_replace('^v([0-9])+\\.([0-9]+)\\.[0-9]+', 'v\\1.\\2') }}"
@@ -101,6 +102,7 @@ etcd_download_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_ver
cni_download_url: "https://github.com/containernetworking/plugins/releases/download/{{ cni_version }}/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz"
calicoctl_download_url: "https://github.com/projectcalico/calicoctl/releases/download/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
crictl_download_url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ crictl_version }}/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
+helm_download_url: "https://get.helm.sh/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz"
crictl_checksums:
arm:
@@ -401,6 +403,11 @@ calicoctl_binary_checksums:
v3.16.2: aa5695940ec8a36393725a5ce7b156f776fed8da38b994c0828d7f3a60e59bc6
v3.15.2: 49165f9e4ad55402248b578310fcf68a57363f54e66be04ac24be9714899b4d5
+helm_archive_checksums:
+ arm: 9da6cc39a796f85b6c4e6d48fd8e4888f1003bfb7a193bb6c427cdd752ad40bb
+ amd64: b664632683c36446deeb85c406871590d879491e3de18978b426769e43a1e82c
+ arm64: bdd00b8ff422171b4be5b649a42e5261394a89d7ea57944005fc34d34d1f8160
+
etcd_binary_checksum: "{{ etcd_binary_checksums[image_arch] }}"
cni_binary_checksum: "{{ cni_binary_checksums[image_arch] }}"
kubelet_binary_checksum: "{{ kubelet_checksums[image_arch][kube_version] }}"
@@ -408,6 +415,7 @@ kubectl_binary_checksum: "{{ kubectl_checksums[image_arch][kube_version] }}"
kubeadm_binary_checksum: "{{ kubeadm_checksums[image_arch][kubeadm_version] }}"
calicoctl_binary_checksum: "{{ calicoctl_binary_checksums[image_arch][calico_ctl_version] }}"
crictl_binary_checksum: "{{ crictl_checksums[image_arch][crictl_version] }}"
+helm_archive_checksum: "{{ helm_archive_checksums[image_arch] }}"
# Containers
# In some cases, we need a way to set --registry-mirror or --insecure-registry for docker,
@@ -480,11 +488,6 @@ dnsautoscaler_image_repo: "{{ kube_image_repo }}/cpa/cluster-proportional-autosc
dnsautoscaler_image_tag: "{{ dnsautoscaler_version }}"
test_image_repo: "{{ kube_image_repo }}/busybox"
test_image_tag: latest
-helm_version: "v3.2.4"
-helm_image_repo: "{{ docker_image_repo }}/lachlanevenson/k8s-helm"
-helm_image_tag: "{{ helm_version }}"
-tiller_image_repo: "{{ gcr_image_repo }}/kubernetes-helm/tiller"
-tiller_image_tag: "{{ helm_version }}"
registry_image_repo: "{{ docker_image_repo }}/library/registry"
registry_image_tag: "2.7.1"
@@ -598,7 +601,7 @@ downloads:
file: "{{ etcd_deployment_type == 'host' }}"
enabled: true
version: "{{ etcd_version }}"
- dest: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
+ dest: "{{ local_release_dir }}/etcd-{{ etcd_version }}-linux-{{ image_arch }}.tar.gz"
repo: "{{ etcd_image_repo }}"
tag: "{{ etcd_image_tag }}"
sha256: >-
@@ -887,21 +890,16 @@ downloads:
helm:
enabled: "{{ helm_enabled }}"
- container: true
- repo: "{{ helm_image_repo }}"
- tag: "{{ helm_image_tag }}"
- sha256: "{{ helm_digest_checksum|default(None) }}"
- groups:
- - kube-node
-
- tiller:
- enabled: "{{ helm_enabled and helm_version is version('v3.0.0', '<') }}"
- container: true
- repo: "{{ tiller_image_repo }}"
- tag: "{{ tiller_image_tag }}"
- sha256: "{{ tiller_digest_checksum|default(None) }}"
+ file: true
+ version: "{{ helm_version }}"
+ dest: "{{ local_release_dir }}/helm-{{ helm_version }}/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz"
+ sha256: "{{ helm_archive_checksum }}"
+ url: "{{ helm_download_url }}"
+ unarchive: true
+ owner: "root"
+ mode: "0755"
groups:
- - kube-node
+ - kube-master
registry:
enabled: "{{ registry_enabled }}"
diff --git a/roles/kubernetes-apps/helm/defaults/main.yml b/roles/kubernetes-apps/helm/defaults/main.yml
index 5820fc21f1c47673c322f6368923152c08d95986..4dc1ccaa08f9860cae6aa81430b161cac5885b13 100644
--- a/roles/kubernetes-apps/helm/defaults/main.yml
+++ b/roles/kubernetes-apps/helm/defaults/main.yml
@@ -1,53 +1,2 @@
---
helm_enabled: false
-
-# specify a dir and attach it to helm for HELM_HOME.
-helm_home_dir: "/root/.helm"
-
-# Deployment mode: host or docker
-helm_deployment_type: host
-
-# Wait until Tiller is running and ready to receive requests
-tiller_wait: false
-
-# Do not download the local repository cache on helm init
-helm_skip_refresh: false
-
-# Secure Tiller installation with TLS
-tiller_enable_tls: false
-helm_config_dir: "{{ kube_config_dir }}/helm"
-helm_script_dir: "{{ bin_dir }}/helm-scripts"
-
-# Store tiller release information as Secret instead of a ConfigMap
-tiller_secure_release_info: false
-
-# Where private root key will be secured for TLS
-helm_tiller_cert_dir: "{{ helm_config_dir }}/ssl"
-tiller_tls_cert: "{{ helm_tiller_cert_dir }}/tiller.pem"
-tiller_tls_key: "{{ helm_tiller_cert_dir }}/tiller-key.pem"
-tiller_tls_ca_cert: "{{ helm_tiller_cert_dir }}/ca.pem"
-
-# Permission owner and group for helm client cert. Will be dependent on the helm_home_dir
-helm_cert_group: root
-helm_cert_owner: root
-
-# Set URL for stable repository
-# helm_stable_repo_url: "https://charts.helm.sh/stable"
-
-# Namespace for the Tiller Deployment.
-tiller_namespace: kube-system
-
-# Set node selector options for Tiller Deployment manifest.
-# tiller_node_selectors: "key1=val1,key2=val2"
-
-# Override values for the Tiller Deployment manifest.
-# tiller_override: "key1=val1,key2=val2"
-
-# Limit the maximum number of revisions saved per release. Use 0 for no limit.
-# tiller_max_history: 0
-
-# The name of the tiller service account
-tiller_service_account: tiller
-
-# The number of tiller pod replicas. If not defined, tiller defaults to a single replica
-# tiller_replicas: 1
diff --git a/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml b/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
deleted file mode 100644
index f7b18f152202149e67c64ca02a40a54a08bfaf1c..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
+++ /dev/null
@@ -1,110 +0,0 @@
----
-- name: "Gen_helm_tiller_certs | Create helm config directory (on {{ groups['kube-master'][0] }})"
- run_once: yes
- delegate_to: "{{ groups['kube-master'][0] }}"
- file:
- path: "{{ helm_config_dir }}"
- state: directory
- owner: kube
-
-- name: "Gen_helm_tiller_certs | Create helm script directory (on {{ groups['kube-master'][0] }})"
- run_once: yes
- delegate_to: "{{ groups['kube-master'][0] }}"
- file:
- path: "{{ helm_script_dir }}"
- state: directory
- owner: kube
-
-- name: Gen_helm_tiller_certs | Copy certs generation script
- run_once: yes
- delegate_to: "{{ groups['kube-master'][0] }}"
- template:
- src: "helm-make-ssl.sh.j2"
- dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
- mode: 0700
-
-- name: "Check_helm_certs | check if helm client certs have already been generated on first master (on {{ groups['kube-master'][0] }})"
- find:
- paths: "{{ helm_home_dir }}"
- patterns: "*.pem"
- get_checksum: true
- delegate_to: "{{ groups['kube-master'][0] }}"
- register: helmcert_master
- run_once: true
-
-- name: Gen_helm_tiller_certs | run cert generation script # noqa 301
- run_once: yes
- delegate_to: "{{ groups['kube-master'][0] }}"
- command: "{{ helm_script_dir }}/helm-make-ssl.sh -e {{ helm_home_dir }} -d {{ helm_tiller_cert_dir }}"
-
-- name: Check_helm_client_certs | Set helm_client_certs
- set_fact:
- helm_client_certs: ['ca.pem', 'cert.pem', 'key.pem']
-
-- name: "Check_helm_client_certs | check if a cert already exists on master node"
- find:
- paths: "{{ helm_home_dir }}"
- patterns: "*.pem"
- get_checksum: true
- register: helmcert_node
- when: inventory_hostname != groups['kube-master'][0]
-
-- name: "Check_helm_client_certs | Set 'sync_helm_certs' to true on masters"
- set_fact:
- sync_helm_certs: (not item in helmcert_node.files | map(attribute='path') | map("basename") | list or helmcert_node.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != helmcert_master.files | selectattr("path", "equalto", "{{ helm_home_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
- when:
- - inventory_hostname != groups['kube-master'][0]
- with_items:
- - "{{ helm_client_certs }}"
-
-- name: Gen_helm_tiller_certs | Gather helm client certs
- # noqa 303 - tar is called intentionally here, but maybe this should be done with the slurp module
- shell: "set -o pipefail && tar cfz - -C {{ helm_home_dir }} {{ helm_client_certs|join(' ') }} | base64 --wrap=0"
- args:
- executable: /bin/bash
- no_log: true
- register: helm_client_cert_data
- check_mode: no
- delegate_to: "{{ groups['kube-master'][0] }}"
- when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
-
-- name: Gen_helm_tiller_certs | Use tempfile for unpacking certs on masters
- tempfile:
- state: file
- path: /tmp
- prefix: helmcertsXXXXX
- suffix: tar.gz
- register: helm_cert_tempfile
- when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
-
-- name: Gen_helm_tiller_certs | Write helm client certs to tempfile
- copy:
- content: "{{ helm_client_cert_data.stdout }}"
- dest: "{{ helm_cert_tempfile.path }}"
- owner: root
- mode: "0600"
- when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
-
-- name: Gen_helm_tiller_certs | Unpack helm certs on
- shell: "set -o pipefail && base64 -d < {{ helm_cert_tempfile.path }} | tar xz -C {{ helm_home_dir }}"
- args:
- executable: /bin/bash
- no_log: true
- changed_when: false
- check_mode: no
- when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
-
-- name: Gen_helm_tiller_certs | Cleanup tempfile on masters
- file:
- path: "{{ helm_cert_tempfile.path }}"
- state: absent
- when: sync_helm_certs|default(false) and inventory_hostname != groups['kube-master'][0]
-
-- name: Gen_certs | check certificate permissions
- file:
- path: "{{ helm_home_dir }}"
- group: "{{ helm_cert_group }}"
- state: directory
- owner: "{{ helm_cert_owner }}"
- mode: "u=rwX,g-rwx,o-rwx"
- recurse: yes
diff --git a/roles/kubernetes-apps/helm/tasks/install_docker.yml b/roles/kubernetes-apps/helm/tasks/install_docker.yml
deleted file mode 100644
index 1fda9d347b9c854a5d40ed637801480a8c6c665f..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/tasks/install_docker.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: Helm | Set up helm docker launcher
- template:
- src: helm-container.j2
- dest: "{{ bin_dir }}/helm"
- owner: root
- mode: 0755
- register: helm_container
diff --git a/roles/kubernetes-apps/helm/tasks/install_host.yml b/roles/kubernetes-apps/helm/tasks/install_host.yml
deleted file mode 100644
index e4eb54c4358b8d38f5b2d4f12aad51c8003ac0d8..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/tasks/install_host.yml
+++ /dev/null
@@ -1,42 +0,0 @@
----
-- name: Helm | Set commands for helm host tasks
- set_fact:
- helm_compare_command: >-
- {%- if container_manager in ['docker', 'crio'] %}
- {{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /usr/bin/cmp {{ helm_image_repo }}:{{ helm_image_tag }} /usr/local/bin/helm /systembindir/helm
- {%- elif container_manager == "containerd" %}
- ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-compare sh -c 'cmp /usr/local/bin/helm /systembindir/helm'
- {%- endif %}
- helm_copy_command: >-
- {%- if container_manager in ['docker', 'crio'] %}
- {{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/systembindir --entrypoint /bin/cp {{ helm_image_repo }}:{{ helm_image_tag }} -f /usr/local/bin/helm /systembindir/helm
- {%- elif container_manager == "containerd" %}
- ctr run --rm --mount type=bind,src={{ bin_dir }},dst=/systembindir,options=rbind:rw {{ helm_image_repo }}:{{ helm_image_tag }} helm-copy sh -c '/bin/cp -f /usr/local/bin/helm /systembindir/helm'
- {%- endif %}
-
-- name: Helm | ensure helm container is pulled for containerd
- command: "ctr i pull {{ helm_image_repo }}:{{ helm_image_tag }}"
- when: container_manager == "containerd"
-
-- name: Helm | Compare host helm with helm container
- command: "{{ helm_compare_command }}"
- register: helm_task_compare_result
- until: helm_task_compare_result.rc in [0,1,2]
- retries: 4
- delay: "{{ retry_stagger | random + 3 }}"
- changed_when: false
- failed_when: "helm_task_compare_result.rc not in [0,1,2]"
-
-- name: Helm | Copy helm from helm container
- command: "{{ helm_copy_command }}"
- when: helm_task_compare_result.rc != 0
- register: helm_task_result
- until: helm_task_result.rc == 0
- retries: 4
- delay: "{{ retry_stagger | random + 3 }}"
-
-- name: Helm | Copy socat wrapper for Flatcar Container Linux by Kinvolk
- command: "{{ docker_bin_dir }}/docker run --rm -v {{ bin_dir }}:/opt/bin {{ install_socat_image_repo }}:{{ install_socat_image_tag }}"
- args:
- creates: "{{ bin_dir }}/socat"
- when: ansible_os_family in ['Flatcar Container Linux by Kinvolk']
diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml
index 83bedb38bd796a89be8361d21caab417958b2f2b..f4d2e19046ade9db6afcf3ce7cccdfb7479708a3 100644
--- a/roles/kubernetes-apps/helm/tasks/main.yml
+++ b/roles/kubernetes-apps/helm/tasks/main.yml
@@ -1,131 +1,34 @@
---
-- name: Helm | Make sure HELM_HOME directory exists
- file: path={{ helm_home_dir }} state=directory
-
-- name: Helm | Set up helm launcher
- include_tasks: "install_{{ helm_deployment_type }}.yml"
-
-- name: Helm | Lay Down Helm Manifests (RBAC)
- template:
- src: "{{ item.file }}.j2"
- dest: "{{ kube_config_dir }}/{{ item.file }}"
- with_items:
- - {name: tiller, file: tiller-namespace.yml, type: namespace}
- - {name: tiller, file: tiller-sa.yml, type: sa}
- - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
- register: manifests
- when:
- - dns_mode != 'none'
- - inventory_hostname == groups['kube-master'][0]
- - helm_version is version('v3.0.0', '<')
-
-- name: Helm | Apply Helm Manifests (RBAC)
- kube:
- name: "{{ item.item.name }}"
- namespace: "{{ tiller_namespace }}"
- kubectl: "{{ bin_dir }}/kubectl"
- resource: "{{ item.item.type }}"
- filename: "{{ kube_config_dir }}/{{ item.item.file }}"
- state: "latest"
- with_items: "{{ manifests.results }}"
- when:
- - dns_mode != 'none'
- - inventory_hostname == groups['kube-master'][0]
- - helm_version is version('v3.0.0', '<')
-
-# Generate necessary certs for securing Helm and Tiller connection with TLS
-- name: Helm | Set up TLS
- include_tasks: "gen_helm_tiller_certs.yml"
- when:
- - tiller_enable_tls
- - helm_version is version('v3.0.0', '<')
-
-- name: Helm | Install client on all masters
- command: >
- {{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }}
- {% if helm_skip_refresh %} --skip-refresh{% endif %}
- {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
- --client-only
- environment: "{{ proxy_env }}"
- changed_when: false
- when:
- - helm_version is version('v3.0.0', '<')
-
-# FIXME: https://github.com/helm/helm/issues/6374
-- name: Helm | Install/upgrade helm
- shell: >
- set -o pipefail &&
- {{ bin_dir }}/helm init --tiller-namespace={{ tiller_namespace }}
- {% if helm_skip_refresh %} --skip-refresh{% endif %}
- {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
- --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }}
- {% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %}
- {% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
- --override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}
- {% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %}
- {% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
- {% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
- {% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
- --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm'
- {% if tiller_wait %} --wait{% endif %}
- {% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %}
- --output yaml
- | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@'
- | {{ bin_dir }}/kubectl apply -f -
- args:
- executable: /bin/bash
- register: install_helm
- when:
- - inventory_hostname == groups['kube-master'][0]
- - helm_version is version('v3.0.0', '<')
- changed_when: false
- environment: "{{ proxy_env }}"
-
-# FIXME: https://github.com/helm/helm/issues/4063
-- name: Helm | Force apply tiller overrides if necessary
- shell: >
- set -o pipefail &&
- {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
- {% if helm_skip_refresh %} --skip-refresh{% endif %}
- {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
- {% if rbac_enabled %} --service-account={{ tiller_service_account }}{% endif %}
- {% if tiller_node_selectors is defined %} --node-selectors {{ tiller_node_selectors }}{% endif %}
- --override spec.template.spec.priorityClassName={% if tiller_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}
- {% if tiller_override is defined and tiller_override %} --override {{ tiller_override }}{% endif %}
- {% if tiller_max_history is defined %} --history-max={{ tiller_max_history }}{% endif %}
- {% if tiller_enable_tls %} --tiller-tls --tiller-tls-verify --tiller-tls-cert={{ tiller_tls_cert }} --tiller-tls-key={{ tiller_tls_key }} --tls-ca-cert={{ tiller_tls_ca_cert }} {% endif %}
- {% if tiller_secure_release_info %} --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' {% endif %}
- --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm'
- {% if tiller_wait %} --wait{% endif %}
- {% if tiller_replicas is defined %} --replicas {{ tiller_replicas | int }}{% endif %}
- --output yaml
- | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@'
- | {{ bin_dir }}/kubectl apply -f -
- args:
- executable: /bin/bash
- changed_when: false
- when:
- - inventory_hostname == groups['kube-master'][0]
- - helm_version is version('v3.0.0', '<')
- environment: "{{ proxy_env }}"
-
-- name: Helm | Add/update stable repo on all masters
- command: "{{ bin_dir }}/helm repo add stable {{ helm_stable_repo_url }}"
- environment: "{{ proxy_env }}"
- when:
- - helm_version is version('v3.0.0', '>=')
- - helm_stable_repo_url is defined
-
-- name: Make sure bash_completion.d folder exists # noqa 503
- file:
- name: "/etc/bash_completion.d/"
- state: directory
- when:
- - ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
- - ansible_os_family in ["ClearLinux"]
-
-- name: Helm | Set up bash completion # noqa 503
- shell: "umask 022 && {{ bin_dir }}/helm completion bash >/etc/bash_completion.d/helm.sh"
- when:
- - ((helm_container is defined and helm_container.changed) or (helm_task_result is defined and helm_task_result.changed))
- - not ansible_os_family in ["Flatcar Container Linux by Kinvolk"]
+- name: Helm | Download helm
+ include_tasks: "../../../download/tasks/download_file.yml"
+ vars:
+ download: "{{ download_defaults | combine(downloads.helm) }}"
+
+- name: Copy helm binary from download dir
+ synchronize:
+ src: "{{ local_release_dir }}/helm-{{ helm_version }}/linux-{{ image_arch }}/helm"
+ dest: "{{ bin_dir }}/helm"
+ compress: no
+ perms: yes
+ owner: no
+ group: no
+ delegate_to: "{{ inventory_hostname }}"
+
+- name: Check if bash_completion.d folder exists # noqa 503
+ stat:
+ path: "/etc/bash_completion.d/"
+ register: stat_result
+
+- name: Get helm completion
+ command: "{{ bin_dir }}/helm completion bash"
+ changed_when: False
+ register: helm_completion
+ check_mode: False
+ when: stat_result.stat.exists
+
+- name: Install helm completion
+ copy:
+ dest: /etc/bash_completion.d/helm.sh
+ content: "{{ helm_completion.stdout }}"
+ become: True
+ when: stat_result.stat.exists
diff --git a/roles/kubernetes-apps/helm/templates/helm-container.j2 b/roles/kubernetes-apps/helm/templates/helm-container.j2
deleted file mode 100644
index e760d0056e4dc1be82649cb3f25e1c42421bb9a6..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/templates/helm-container.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-#!/bin/bash
-{{ docker_bin_dir }}/docker run --rm \
- --net=host \
- --name=helm \
- -v {{ ansible_env.HOME | default('/root') }}/.kube:/root/.kube:ro \
- -v /etc/ssl:/etc/ssl:ro \
- -v {{ helm_home_dir }}:{{ helm_home_dir }}:rw \
- {% for dir in ssl_ca_dirs -%}
- -v {{ dir }}:{{ dir }}:ro \
- {% endfor -%}
- {% if http_proxy is defined or https_proxy is defined -%}
- -e http_proxy="{{proxy_env.http_proxy}}" \
- -e https_proxy="{{proxy_env.https_proxy}}" \
- -e no_proxy="{{proxy_env.no_proxy}}" \
- {% endif -%}
- {{ helm_image_repo }}:{{ helm_image_tag}} \
- "$@"
diff --git a/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2 b/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2
deleted file mode 100644
index f82d51c9c276dce467ccc64c773bdf5b2d052e0e..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/bash
-
-set -o errexit
-set -o pipefail
-
-usage()
-{
- cat << EOF
-Create self signed certificates
-
-Usage : $(basename $0) -f <config> [-d <ssldir>]
- -h | --help : Show this message
- -e | --helm-home : Helm home directory
- -d | --ssldir : Directory where the certificates will be installed
-EOF
-}
-
-# Options parsing
-while (($#)); do
- case "$1" in
- -h | --help) usage; exit 0;;
- -e | --helm-home) HELM_HOME="${2}"; shift 2;;
- -d | --ssldir) SSLDIR="${2}"; shift 2;;
- *)
- usage
- echo "ERROR : Unknown option"
- exit 3
- ;;
- esac
-done
-
-if [ -z ${SSLDIR} ]; then
- SSLDIR="/etc/kubernetes/helm/ssl"
-fi
-
-tmpdir=$(mktemp -d /tmp/helm_cacert.XXXXXX)
-trap 'rm -rf "${tmpdir}"' EXIT
-cd "${tmpdir}"
-
-mkdir -p "${SSLDIR}"
-
-# Root CA
-if [ -e "$SSLDIR/ca-key.pem" ]; then
- # Reuse existing CA
- cp $SSLDIR/{ca.pem,ca-key.pem} .
-else
- openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
- openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
-fi
-
-gen_key_and_cert() {
- local name=$1
- local subject=$2
- openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
- openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
- openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
-}
-
-#Generate cert and key for Tiller if they don't exist
-if ! [ -e "$SSLDIR/tiller.pem" ]; then
- gen_key_and_cert "tiller" "/CN=tiller-server"
-fi
-
-#Generate cert and key for Helm client if they don't exist
-if ! [ -e "$SSLDIR/helm.pem" ]; then
- gen_key_and_cert "helm" "/CN=helm-client"
-fi
-
-# Secure certs to first master
-mv *.pem ${SSLDIR}/
-
-# Install Helm client certs to first master
-# Copy using Helm default names for convenience
-cp ${SSLDIR}/ca.pem ${HELM_HOME}/ca.pem
-cp ${SSLDIR}/helm.pem ${HELM_HOME}/cert.pem
-cp ${SSLDIR}/helm-key.pem ${HELM_HOME}/key.pem
diff --git a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2
deleted file mode 100644
index 56af87be7fabc7ec7fac0632b8aff3ea18fe58ee..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2
+++ /dev/null
@@ -1,29 +0,0 @@
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: tiller
- namespace: {{ tiller_namespace }}
-subjects:
- - kind: ServiceAccount
- name: {{ tiller_service_account }}
- namespace: {{ tiller_namespace }}
-roleRef:
- kind: ClusterRole
- name: cluster-admin
- apiGroup: rbac.authorization.k8s.io
-{% if podsecuritypolicy_enabled %}
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: psp:tiller
-subjects:
- - kind: ServiceAccount
- name: {{ tiller_service_account }}
- namespace: {{ tiller_namespace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:privileged
-{% endif %}
diff --git a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
deleted file mode 100644
index 455742185c2daa3dd8d8e848159adcbd4f442ec8..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
- name: "{{ tiller_namespace}}"
diff --git a/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2 b/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2
deleted file mode 100644
index 8a17b19722b67c0d267722db0a2057236c8c841d..0000000000000000000000000000000000000000
--- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2
+++ /dev/null
@@ -1,6 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ tiller_service_account }}
- namespace: {{ tiller_namespace }}
diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md b/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md
index 08999c83701de4e95b3bef10d74a27f300a1dfb6..3d59dabd25905ffd019a58f65fd08ca422974800 100644
--- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md
+++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/README.md
@@ -180,17 +180,14 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers
## Using Helm
-NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [stable/nginx-ingress](https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress) from the official charts repository.
-To install the chart with the release name `my-nginx`:
+NGINX Ingress controller can be installed via [Helm](https://helm.sh/) using the chart [ingress-nginx/ingress-nginx](https://kubernetes.github.io/ingress-nginx).
+Official documentation is [here](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm)
-```console
-helm install stable/nginx-ingress --name my-nginx
-```
-
-If the kubernetes cluster has RBAC enabled, then run:
+To install the chart with the release name `my-nginx`:
```console
-helm install stable/nginx-ingress --name my-nginx --set rbac.create=true
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm install my-nginx ingress-nginx/ingress-nginx
```
Detect installed version:
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index aa6cf675e22999ebebef2c4661c558bb1bf554fe..c5809b9bb1abb6d3de3d01ed23c54c8a07d53d57 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -303,8 +303,6 @@ containerd_use_systemd_cgroup: false
etcd_deployment_type: docker
cert_management: script
-helm_deployment_type: host
-
# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts
kubeconfig_localhost: false
# Download kubectl onto the host that runs Ansible in {{ bin_dir }}
diff --git a/tests/files/packet_centos7-calico-ha.yml b/tests/files/packet_centos7-calico-ha.yml
index d0b488dc1860d808e1a2798b945ce2585dc992aa..526f128994c6a03efc41b481a6a7005a8e94227a 100644
--- a/tests/files/packet_centos7-calico-ha.yml
+++ b/tests/files/packet_centos7-calico-ha.yml
@@ -12,6 +12,3 @@ dns_min_replicas: 1
typha_enabled: true
calico_backend: kdd
typha_secure: true
-
-# Test helm 2 install
-helm_version: v2.16.7