RBAC: Update serviceaccount and k8s rbac for armada
This patch set brings the armada chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: Ia264c0eaeeba614d676385fab190c6bbfeecd656
This commit is contained in:
parent
f3dd5d42bd
commit
50467c0f10
@ -19,6 +19,8 @@ limitations under the License.
|
|||||||
{{- $dependencies := .Values.dependencies.api }}
|
{{- $dependencies := .Values.dependencies.api }}
|
||||||
{{- $mounts_armada_api := .Values.pod.mounts.armada_api.armada_api }}
|
{{- $mounts_armada_api := .Values.pod.mounts.armada_api.armada_api }}
|
||||||
{{- $mounts_armada_api_init := .Values.pod.mounts.armada_api.init_container }}
|
{{- $mounts_armada_api_init := .Values.pod.mounts.armada_api.init_container }}
|
||||||
|
{{- $serviceAccountName := "armada" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -35,6 +37,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "armada" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "armada" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
|
@ -17,6 +17,8 @@ limitations under the License.
|
|||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.ks_endpoints }}
|
{{- $dependencies := .Values.dependencies.ks_endpoints }}
|
||||||
|
{{- $serviceAccountName := "armada-ks-endpoints" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -28,11 +30,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "armada" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "armada" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
{{- range $key1, $osServiceType := tuple "armada" }}
|
{{- range $key1, $osServiceType := tuple "armada" }}
|
||||||
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
|
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
|
||||||
|
@ -17,6 +17,8 @@ limitations under the License.
|
|||||||
{{- if .Values.manifests.job_ks_service }}
|
{{- if .Values.manifests.job_ks_service }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.ks_service }}
|
{{- $dependencies := .Values.dependencies.ks_service }}
|
||||||
|
{{- $serviceAccountName := "armada-ks-service" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -28,11 +30,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "armada" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "armada" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
{{- range $key1, $osServiceType := tuple "armada" }}
|
{{- range $key1, $osServiceType := tuple "armada" }}
|
||||||
- name: {{ $osServiceType }}-ks-service-registration
|
- name: {{ $osServiceType }}-ks-service-registration
|
||||||
|
@ -17,6 +17,8 @@ limitations under the License.
|
|||||||
{{- if .Values.manifests.job_ks_user }}
|
{{- if .Values.manifests.job_ks_user }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.ks_user }}
|
{{- $dependencies := .Values.dependencies.ks_user }}
|
||||||
|
{{- $serviceAccountName := "armada-ks-user" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -28,11 +30,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "armada" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "armada" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: armada-ks-user
|
- name: armada-ks-user
|
||||||
image: {{ .Values.images.tags.ks_user }}
|
image: {{ .Values.images.tags.ks_user }}
|
||||||
|
Loading…
Reference in New Issue
Block a user