From a89ee8c4067c1a695b430ff3a731e6a4a17098c2 Mon Sep 17 00:00:00 2001
From: Chad Swenson <chadswen@gmail.com>
Date: Mon, 13 Nov 2017 13:59:31 -0600
Subject: [PATCH] Add ability to use custom cert secret instead of init
container provisioned self-signed certs
---
roles/kubernetes-apps/ansible/defaults/main.yml | 6 ++++++
roles/kubernetes-apps/ansible/tasks/dashboard.yml | 3 ++-
roles/kubernetes-apps/ansible/tasks/main.yml | 4 +++-
roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 | 8 +++++---
4 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml
index b8f9cc206..5951086e9 100644
--- a/roles/kubernetes-apps/ansible/defaults/main.yml
+++ b/roles/kubernetes-apps/ansible/defaults/main.yml
@@ -54,6 +54,12 @@ dashboard_memory_requests: 64M
# SSL
etcd_cert_dir: "/etc/ssl/etcd/ssl"
canal_cert_dir: "/etc/canal/certs"
+# Set dashboard_use_custom_certs to true if overriding dashboard_certs_secret_name with a secret that
+# contains dashboard_tls_key_file and dashboard_tls_cert_file instead of using the initContainer provisioned certs
+dashboard_use_custom_certs: false
+dashboard_certs_secret_name: kubernetes-dashboard-certs
+dashboard_tls_key_file: dashboard.key
+dashboard_tls_cert_file: dashboard.crt
rbac_resources:
- sa
diff --git a/roles/kubernetes-apps/ansible/tasks/dashboard.yml b/roles/kubernetes-apps/ansible/tasks/dashboard.yml
index 530796c21..84816127e 100644
--- a/roles/kubernetes-apps/ansible/tasks/dashboard.yml
+++ b/roles/kubernetes-apps/ansible/tasks/dashboard.yml
@@ -5,7 +5,8 @@
kubectl: "{{bin_dir}}/kubectl"
resource: "{{ item }}"
state: absent
- with_items: ['ClusterRoleBinding']
+ with_items:
+ - 'ClusterRoleBinding'
tags:
- upgrade
diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml
index 025b4fab6..7b36d4536 100644
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -15,7 +15,9 @@
kubectl: "{{bin_dir}}/kubectl"
resource: "{{ item }}"
state: absent
- with_items: ['deploy', 'svc']
+ with_items:
+ - 'deploy'
+ - 'svc'
tags:
- upgrade
diff --git a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2 b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
index 35415326e..b16ddd467 100644
--- a/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
+++ b/roles/kubernetes-apps/ansible/templates/dashboard.yml.j2
@@ -127,12 +127,14 @@ spec:
labels:
k8s-app: kubernetes-dashboard
spec:
+{% if not dashboard_use_custom_certs %}
initContainers:
- name: kubernetes-dashboard-init
image: {{ dashboard_init_image_repo }}:{{ dashboard_init_image_tag }}
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
+{% endif %}
containers:
- name: kubernetes-dashboard
image: {{ dashboard_image_repo }}:{{ dashboard_image_tag }}
@@ -148,8 +150,8 @@ spec:
- containerPort: 8443
protocol: TCP
args:
- - --tls-key-file=/certs/dashboard.key
- - --tls-cert-file=/certs/dashboard.crt
+ - --tls-key-file=/certs/{{ dashboard_tls_key_file }}
+ - --tls-cert-file=/certs/{{ dashboard_tls_cert_file }}
- --authentication-mode=token{% if kube_basic_auth|default(false) %},basic{% endif %}
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
@@ -172,7 +174,7 @@ spec:
volumes:
- name: kubernetes-dashboard-certs
secret:
- secretName: kubernetes-dashboard-certs
+ secretName: {{ dashboard_certs_secret_name }}
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
--
GitLab