Deploy ingress, lego and dashboard

2025-12-25 13:46:59 +01:00 · 2018-09-26 04:40:24 +02:00 · 2018-09-26 04:40:24 +02:00 · f468fd3e34
commit f468fd3e34
parent bf83e675f2
43 changed files with 1321 additions and 142 deletions
--- a/roles/kubernetes-dashboard/files/dashboard-clusterrolebinding.yml
+++ b/roles/kubernetes-dashboard/files/dashboard-clusterrolebinding.yml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard-crb
+roleRef:
+  apiGroup: ""
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kube-system
--- a/roles/kubernetes-dashboard/files/dashboard-role.yml
+++ b/roles/kubernetes-dashboard/files/dashboard-role.yml
@ -0,0 +1,20 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: kubernetes-dashboard-minimal
+  namespace: kube-system
+rules:
+  # Allow Dashboard to create and watch for changes of 'kubernetes-dashboard-key-holder' secret.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "watch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  # Allow Dashboard to get, update and delete 'kubernetes-dashboard-key-holder' secret.
+  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
+  verbs: ["get", "update", "delete"]
+  # Allow Dashboard to get metrics from heapster.
+- apiGroups: [""]
+  resources: ["services"]
+  resourceNames: ["heapster"]
+  verbs: ["proxy"]
--- a/roles/kubernetes-dashboard/files/dashboard-rolebinding.yml
+++ b/roles/kubernetes-dashboard/files/dashboard-rolebinding.yml
@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: kubernetes-dashboard-minimal
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-dashboard-minimal
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-dashboard
+  namespace: kube-system
--- a/roles/kubernetes-dashboard/files/dashboard-sa.yml
+++ b/roles/kubernetes-dashboard/files/dashboard-sa.yml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kube-system
--- a/roles/kubernetes-dashboard/files/dashboard-secret.yml
+++ b/roles/kubernetes-dashboard/files/dashboard-secret.yml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-certs
+  namespace: kube-system
+type: Opaque
--- a/roles/kubernetes-dashboard/files/dashboard-service.yml
+++ b/roles/kubernetes-dashboard/files/dashboard-service.yml
@ -0,0 +1,13 @@
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kube-system
+spec:
+  ports:
+    - port: 80
+      targetPort: 9090
+  selector:
+    k8s-app: kubernetes-dashboard
--- a/roles/kubernetes-dashboard/files/heapster-clusterrolebinding.yml
+++ b/roles/kubernetes-dashboard/files/heapster-clusterrolebinding.yml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: heapster
+  labels:
+    k8s-addon: monitoring-standalone.addons.k8s.io
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:heapster
+subjects:
+- kind: ServiceAccount
+  name: heapster
+  namespace: kube-system
--- a/roles/kubernetes-dashboard/files/heapster-deployment.yml
+++ b/roles/kubernetes-dashboard/files/heapster-deployment.yml
@ -0,0 +1,77 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: heapster
+  namespace: kube-system
+  labels:
+    k8s-addon: monitoring-standalone.addons.k8s.io
+    k8s-app: heapster
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+    version: v1.7.0
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: heapster
+      version: v1.7.0
+  template:
+    metadata:
+      labels:
+        k8s-app: heapster
+        version: v1.7.0
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+    spec:
+      serviceAccountName: heapster
+      containers:
+        - image: gcr.io/google_containers/heapster:v1.4.0
+          name: heapster
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8082
+              scheme: HTTP
+            initialDelaySeconds: 180
+            timeoutSeconds: 5
+          resources:
+            # keep request = limit to keep this container in guaranteed class
+            limits:
+              cpu: 100m
+              memory: 300Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          command:
+            - /heapster
+            - --source=kubernetes.summary_api:''
+        - image: gcr.io/google_containers/addon-resizer:2.0
+          name: heapster-nanny
+          resources:
+            limits:
+              cpu: 50m
+              memory: 100Mi
+            requests:
+              cpu: 50m
+              memory: 100Mi
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          command:
+            - /pod_nanny
+            - --cpu=80m
+            - --extra-cpu=0.5m
+            - --memory=140Mi
+            - --extra-memory=4Mi
+            - --deployment=heapster
+            - --container=heapster
+            - --poll-period=300000
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"      
--- a/roles/kubernetes-dashboard/files/heapster-role.yml
+++ b/roles/kubernetes-dashboard/files/heapster-role.yml
@ -0,0 +1,24 @@
+# Heapster's pod_nanny monitors the heapster deployment & its pod(s), and scales
+# the resources of the deployment if necessary.
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: system:pod-nanny
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - "extensions"
+  resources:
+  - deployments
+  verbs:
+  - get
+  - update
--- a/roles/kubernetes-dashboard/files/heapster-rolebinding.yml
+++ b/roles/kubernetes-dashboard/files/heapster-rolebinding.yml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: heapster-binding
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: system:pod-nanny
+subjects:
+- kind: ServiceAccount
+  name: heapster
+  namespace: kube-system
--- a/roles/kubernetes-dashboard/files/heapster-sa.yml
+++ b/roles/kubernetes-dashboard/files/heapster-sa.yml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: heapster
+  namespace: kube-system
+  labels:
+    k8s-addon: monitoring-standalone.addons.k8s.io
--- a/roles/kubernetes-dashboard/files/heapster-service.yml
+++ b/roles/kubernetes-dashboard/files/heapster-service.yml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: heapster
+  namespace: kube-system
+  labels:
+    k8s-addon: monitoring-standalone.addons.k8s.io
+    kubernetes.io/name: "Heapster"
+    kubernetes.io/cluster-service: "true"
+spec:
+  ports:
+    - port: 80
+      targetPort: 8082
+  selector:
+    k8s-app: heapster