Add option to change the Tiller Deployment namespace.

roles/kubernetes-apps/helm/defaults/main.yml

@@ -13,6 +13,9 @@ helm_skip_refresh: false
 # Set URL for stable repository
 # helm_stable_repo_url: "https://kubernetes-charts.storage.googleapis.com"
 
+# Namespace for the Tiller Deployment.
+tiller_namespace: kube-system
+
 # Set node selector options for Tiller Deployment manifest.
 # tiller_node_selectors: "key1=val1,key2=val2"
 

roles/kubernetes-apps/helm/tasks/main.yml

@@ -7,9 +7,10 @@
 
 - name: Helm | Lay Down Helm Manifests (RBAC)
   template:
-    src: "{{item.file}}"
+    src: "{{item.file}}.j2"
     dest: "{{kube_config_dir}}/{{item.file}}"
   with_items:
+    - {name: tiller, file: tiller-namespace.yml, type: namespace}
     - {name: tiller, file: tiller-sa.yml, type: sa}
     - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
   register: manifests
@@ -18,7 +19,7 @@
 - name: Helm | Apply Helm Manifests (RBAC)
   kube:
     name: "{{item.item.name}}"
-    namespace: "kube-system"
+    namespace: "{{ tiller_namespace }}"
     kubectl: "{{bin_dir}}/kubectl"
     resource: "{{item.item.type}}"
     filename: "{{kube_config_dir}}/{{item.item.file}}"
@@ -28,7 +29,7 @@
 
 - name: Helm | Install/upgrade helm
   command: >
-    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
+    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
     {% if helm_skip_refresh %} --skip-refresh{% endif %}
     {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
     {% if rbac_enabled %} --service-account=tiller{% endif %}

roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml → roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml.j2

@@ -3,12 +3,27 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: tiller
-  namespace: kube-system
+  namespace: {{ tiller_namespace }}
 subjects:
   - kind: ServiceAccount
     name: tiller
-    namespace: kube-system
+    namespace: {{ tiller_namespace }}
 roleRef:
   kind: ClusterRole
   name: cluster-admin
   apiGroup: rbac.authorization.k8s.io
+{% if podsecuritypolicy_enabled %}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: psp:tiller
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: {{ tiller_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+{% endif %}

roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "{{ tiller_namespace}}"

roles/kubernetes-apps/helm/templates/tiller-sa.yml → roles/kubernetes-apps/helm/templates/tiller-sa.yml.j2

@@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: tiller
-  namespace: kube-system
+  namespace: {{ tiller_namespace }}
   labels:
     kubernetes.io/cluster-service: "true"