diff --git a/bin/update_csi.sh b/bin/update_csi.sh new file mode 100755 index 0000000..f9f30cc --- /dev/null +++ b/bin/update_csi.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +cd "$(dirname ${0})"/../files/ +wget https://github.com/jetstack/cert-manager-csi/raw/master/deploy/cert-manager-csi-driver.yaml + +kubernetes-split-yaml cert-manager-csi-driver.yaml > generated.log +mv generated csi +cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "csi/\2"|' + +rm -f generated.log cert-manager-csi-driver.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 6bb16fc..92e9aee 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,4 +5,5 @@ ingress_domain: "local" # - 10.244.0.0/16 # - 192.168.140.0/24 +certmanager_csi: true certmanager_version: "0.13" diff --git a/files/csi/cert-manager-csi-ClusterRole.yaml b/files/csi/cert-manager-csi-ClusterRole.yaml new file mode 100644 index 0000000..259e4a3 --- /dev/null +++ b/files/csi/cert-manager-csi-ClusterRole.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-csi +rules: +- apiGroups: ["cert-manager.io"] + resources: ["certificaterequests"] + verbs: ["get", "create", "delete", "update"] diff --git a/files/csi/cert-manager-csi-ClusterRoleBinding.yaml b/files/csi/cert-manager-csi-ClusterRoleBinding.yaml new file mode 100644 index 0000000..99e1aee --- /dev/null +++ b/files/csi/cert-manager-csi-ClusterRoleBinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-csi +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-csi +subjects: +- apiGroup: + kind: ServiceAccount + name: cert-manager-csi + namespace: cert-manager diff --git a/files/csi/cert-manager-csi-DaemonSet.yaml b/files/csi/cert-manager-csi-DaemonSet.yaml new file mode 100644 index 0000000..4c8e7a7 --- /dev/null +++ b/files/csi/cert-manager-csi-DaemonSet.yaml @@ -0,0 +1,82 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: cert-manager-csi + namespace: cert-manager +spec: + selector: + matchLabels: + app: cert-manager-csi + template: + metadata: + labels: + app: cert-manager-csi + spec: + serviceAccount: cert-manager-csi + containers: + + - name: node-driver-registrar + image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0 + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/cert-manager-csi /registration/cert-manager-csi-reg.sock"] + args: + - --v=5 + - --csi-address=/plugin/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/cert-manager-csi/csi.sock + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration + + - name: cert-manager-csi + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: gcr.io/jetstack-josh/cert-manager-csi:v0.1.0-alpha.1 + imagePullPolicy: "IfNotPresent" + args : + - --node-id=$(NODE_ID) + - --endpoint=$(CSI_ENDPOINT) + - --data-root=/csi-data-dir + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: "Bidirectional" + - name: csi-data-dir + mountPath: /csi-data-dir + volumes: + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/cert-manager-csi + type: DirectoryOrCreate + - name: pods-mount-dir + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + name: registration-dir + - hostPath: + path: /tmp/cert-manager-csi + type: DirectoryOrCreate + name: csi-data-dir diff --git a/files/csi/cert-manager-csi-ServiceAccount.yaml b/files/csi/cert-manager-csi-ServiceAccount.yaml new file mode 100644 index 0000000..7dc00de --- /dev/null +++ b/files/csi/cert-manager-csi-ServiceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-csi + namespace: cert-manager diff --git a/files/csi/csi.cert-manager.io-CSIDriver.yaml b/files/csi/csi.cert-manager.io-CSIDriver.yaml new file mode 100644 index 0000000..ab74642 --- /dev/null +++ b/files/csi/csi.cert-manager.io-CSIDriver.yaml @@ -0,0 +1,8 @@ +apiVersion: storage.k8s.io/v1beta1 +kind: CSIDriver +metadata: + name: csi.cert-manager.io +spec: + podInfoOnMount: true + volumeLifecycleModes: + - Ephemeral diff --git a/tasks/csi.yml b/tasks/csi.yml new file mode 100644 index 0000000..b723ae4 --- /dev/null +++ b/tasks/csi.yml @@ -0,0 +1,22 @@ +--- +- set_fact: + certmanager_csi_state: "present" + when: + - certmanager_csi + +- set_fact: + certmanager_csi_state: "absent" + when: + - not certmanager_csi + +- name: Cert Manager files version {{ certmanager_version }} need to be {{ certmanager_csi_state }} + k8s: + state: "{{ certmanager_csi_state }}" + context: "{{ my_context }}" + resource_definition: "{{ lookup('files', item) | from_yaml }}" + with_items: + - "csi/csi.cert-manager.io-CSIDriver.yaml" + - "csi/cert-manager-csi-ServiceAccount.yaml" + - "csi/cert-manager-csi-ClusterRole.yaml" + - "csi/cert-manager-csi-ClusterRoleBinding.yaml" + - "csi/cert-manager-csi-DaemonSet.yaml" diff --git a/tasks/main.yml b/tasks/main.yml index f9c87b6..a3609c5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -52,3 +52,11 @@ when: - certmanager_version | regex_search('(0.14)') or certmanager_actual_version.stdout | regex_search('(0.14)') tags: certmanager + + + + - name: install / uninstall Cert-Manager CSI Kubernetes drivers + include_tasks: "csi.yml" + when: + - certmanager_csi + tags: certmanager