Merge pull request #3176 from equinix-ms/master

Add option to change the Tiller Deployment namespace.

Merge pull request #3176 from equinix-ms/master
f82a1933 · k8s-ci-robot · GitHub · f876c890 · bbdd1c8f · f82a1933
Unverified Commit f82a1933 authored 6 years ago by k8s-ci-robot Committed by GitHub 6 years ago
--- a/roles/kubernetes-apps/helm/defaults/main.yml
+++ b/roles/kubernetes-apps/helm/defaults/main.yml
@@ -13,6 +13,9 @@ helm_skip_refresh: false
 # Set URL for stable repository
 # helm_stable_repo_url: "https://kubernetes-charts.storage.googleapis.com"
+# Namespace for the Tiller Deployment.
+tiller_namespace: kube-system
 # Set node selector options for Tiller Deployment manifest.
 # tiller_node_selectors: "key1=val1,key2=val2"

--- a/roles/kubernetes-apps/helm/tasks/main.yml
+++ b/roles/kubernetes-apps/helm/tasks/main.yml
@@ -7,9 +7,10 @@
 - name: Helm | Lay Down Helm Manifests (RBAC)
  template:
-    src: "{{item.file}}"
+    src: "{{item.file}}.j2"
    dest: "{{kube_config_dir}}/{{item.file}}"
  with_items:
+    - {name: tiller, file: tiller-namespace.yml, type: namespace}
    - {name: tiller, file: tiller-sa.yml, type: sa}
    - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding}
  register: manifests
@@ -18,7 +19,7 @@
 - name: Helm | Apply Helm Manifests (RBAC)
  kube:
    name: "{{item.item.name}}"
-    namespace: "kube-system"
+    namespace: "{{ tiller_namespace }}"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
@@ -28,7 +29,7 @@
 - name: Helm | Install/upgrade helm
  command: >
-    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace=kube-system
+    {{ bin_dir }}/helm init --upgrade --tiller-image={{ tiller_image_repo }}:{{ tiller_image_tag }} --tiller-namespace={{ tiller_namespace }}
    {% if helm_skip_refresh %} --skip-refresh{% endif %}
    {% if helm_stable_repo_url is defined %} --stable-repo-url {{ helm_stable_repo_url }}{% endif %}
    {% if rbac_enabled %} --service-account=tiller{% endif %}

--- a/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
+++ b/roles/kubernetes-apps/helm/templates/tiller-clusterrolebinding.yml
@@ -3,12 +3,27 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: tiller
-  namespace: kube-system
+  namespace: {{ tiller_namespace }}
 subjects:
  - kind: ServiceAccount
    name: tiller
-    namespace: kube-system
+    namespace: {{ tiller_namespace }}
 roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
+{% if podsecuritypolicy_enabled %}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: psp:tiller
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: {{ tiller_namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: psp:privileged
+{% endif %}
--- a/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
+++ b/roles/kubernetes-apps/helm/templates/tiller-namespace.yml.j2
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "{{ tiller_namespace}}"
--- a/roles/kubernetes-apps/helm/templates/tiller-sa.yml
+++ b/roles/kubernetes-apps/helm/templates/tiller-sa.yml
@@ -3,6 +3,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: tiller
-  namespace: kube-system
+  namespace: {{ tiller_namespace }}
  labels:
    kubernetes.io/cluster-service: "true"