MAAS region & rack controller upgrade v3.2
Signed-off-by: Anselme, Schubert (sa246v) <sa246v@att.com> Change-Id: If5fffa59f547d4b19d7c0f086204800e9144d952
This commit is contained in:
parent
eaabbb2722
commit
12555c6a06
26
charts/deps/helm-toolkit/Chart.yaml
Normal file
26
charts/deps/helm-toolkit/Chart.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Helm-Toolkit
|
||||
name: helm-toolkit
|
||||
version: 0.2.54
|
||||
home: https://docs.openstack.org/openstack-helm
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
|
||||
sources:
|
||||
- https://opendev.org/openstack/openstack-helm-infra
|
||||
- https://opendev.org/openstack/openstack-helm
|
||||
maintainers:
|
||||
- name: OpenStack-Helm Authors
|
||||
...
|
15
charts/deps/helm-toolkit/requirements.yaml
Normal file
15
charts/deps/helm-toolkit/requirements.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
dependencies: []
|
||||
...
|
@ -0,0 +1,58 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves database, or basic auth, style endpoints
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
auth:
|
||||
admin:
|
||||
username: root
|
||||
password: password
|
||||
service_username:
|
||||
username: username
|
||||
password: password
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path: /dbname
|
||||
scheme: mysql+pymysql
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "service_username" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
mysql+pymysql://serviceuser:password@mariadb.default.svc.cluster.local:3306/dbname
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $userclass := index . 2 -}}
|
||||
{{- $port := index . 3 -}}
|
||||
{{- $context := index . 4 -}}
|
||||
{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
|
||||
{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
|
||||
{{- $endpointUser := index $userMap "username" }}
|
||||
{{- $endpointPass := index $userMap "password" }}
|
||||
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
|
||||
{{- printf "%s://%s:%s@%s:%s%s" $endpointScheme $endpointUser $endpointPass $endpointHost $endpointPort $endpointPath -}}
|
||||
{{- end -}}
|
@ -0,0 +1,121 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves endpoint string suitible for use with oslo.messaging transport url
|
||||
See: https://docs.openstack.org/oslo.messaging/latest/reference/transport.html#oslo_messaging.TransportURL
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_messaging:
|
||||
auth:
|
||||
cinder:
|
||||
username: cinder
|
||||
password: password
|
||||
statefulset:
|
||||
replicas: 2
|
||||
name: rabbitmq-rabbitmq
|
||||
hosts:
|
||||
default: rabbitmq
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path: /cinder
|
||||
scheme: rabbit
|
||||
port:
|
||||
amqp:
|
||||
default: 5672
|
||||
usage: |
|
||||
{{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
rabbit://cinder:password@rabbitmq-rabbitmq-0.rabbitmq.default.svc.cluster.local:5672,cinder:password@rabbitmq-rabbitmq-1.rabbitmq.default.svc.cluster.local:5672/cinder
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_messaging:
|
||||
auth:
|
||||
cinder:
|
||||
username: cinder
|
||||
password: password
|
||||
statefulset: null
|
||||
hosts:
|
||||
default: rabbitmq
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path: /cinder
|
||||
scheme: rabbit
|
||||
port:
|
||||
amqp:
|
||||
default: 5672
|
||||
usage: |
|
||||
{{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
rabbit://cinder:password@rabbitmq.default.svc.cluster.local:5672/cinder
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_messaging:
|
||||
auth:
|
||||
cinder:
|
||||
username: cinder
|
||||
password: password
|
||||
statefulset:
|
||||
replicas: 2
|
||||
name: rabbitmq-rabbitmq
|
||||
hosts:
|
||||
default: rabbitmq
|
||||
host_fqdn_override:
|
||||
default: rabbitmq.openstackhelm.org
|
||||
path: /cinder
|
||||
scheme: rabbit
|
||||
port:
|
||||
amqp:
|
||||
default: 5672
|
||||
usage: |
|
||||
{{ tuple "oslo_messaging" "internal" "cinder" "amqp" . | include "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
rabbit://cinder:password@rabbitmq.openstackhelm.org:5672/cinder
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.authenticated_transport_endpoint_uri_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $userclass := index . 2 -}}
|
||||
{{- $port := index . 3 -}}
|
||||
{{- $context := index . 4 -}}
|
||||
{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
|
||||
{{- $userMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userclass }}
|
||||
{{- $ssMap := index $context.Values.endpoints ( $type | replace "-" "_" ) "statefulset" | default false}}
|
||||
{{- $hostFqdnOverride := index $context.Values.endpoints ( $type | replace "-" "_" ) "host_fqdn_override" }}
|
||||
{{- $endpointUser := index $userMap "username" }}
|
||||
{{- $endpointPass := index $userMap "password" }}
|
||||
{{- $endpointHostSuffix := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $local := dict "endpointCredsAndHosts" list -}}
|
||||
{{- if not (or (index $hostFqdnOverride $endpoint | default ( index $hostFqdnOverride "default" ) ) ( not $ssMap ) ) }}
|
||||
{{- $endpointHostPrefix := $ssMap.name }}
|
||||
{{- range $podInt := until ( atoi (print $ssMap.replicas ) ) }}
|
||||
{{- $endpointCredAndHost := printf "%s:%s@%s-%d.%s:%s" $endpointUser $endpointPass $endpointHostPrefix $podInt $endpointHostSuffix $endpointPort }}
|
||||
{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
{{- $endpointCredAndHost := printf "%s:%s@%s:%s" $endpointUser $endpointPass $endpointHost $endpointPort }}
|
||||
{{- $_ := set $local "endpointCredsAndHosts" ( append $local.endpointCredsAndHosts $endpointCredAndHost ) }}
|
||||
{{- end }}
|
||||
{{- $endpointCredsAndHosts := include "helm-toolkit.utils.joinListWithComma" $local.endpointCredsAndHosts }}
|
||||
{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
|
||||
{{- printf "%s://%s%s" $endpointScheme $endpointCredsAndHosts $endpointPath }}
|
||||
{{- end -}}
|
@ -0,0 +1,90 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves either the fully qualified hostname, of if defined in the host field
|
||||
IPv4 for an endpoint.
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
return: |
|
||||
mariadb.default.svc.cluster.local
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default:
|
||||
host: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
return: |
|
||||
mariadb.default.svc.cluster.local
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: 127.0.0.1
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
return: |
|
||||
127.0.0.1
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default:
|
||||
host: 127.0.0.1
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
return: |
|
||||
127.0.0.1
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.endpoint_host_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- $endpointScheme := $endpointMap.scheme }}
|
||||
{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
|
||||
{{- if kindIs "map" $context.Values.__endpointHost }}
|
||||
{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
|
||||
{{- end }}
|
||||
{{- $endpointHost := $context.Values.__endpointHost }}
|
||||
{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
|
||||
{{- $endpointHostname := printf "%s" $endpointHost }}
|
||||
{{- printf "%s" $endpointHostname -}}
|
||||
{{- else }}
|
||||
{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
{{- printf "%s" $endpointHostname -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,41 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the port for an endpoint
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
return: |
|
||||
3306
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.endpoint_port_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $port := index . 2 -}}
|
||||
{{- $context := index . 3 -}}
|
||||
{{- $typeYamlSafe := $type | replace "-" "_" }}
|
||||
{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
|
||||
{{- $endpointPortMAP := index $endpointMap.port $port }}
|
||||
{{- $endpointPort := index $endpointPortMAP $endpoint | default ( index $endpointPortMAP "default" ) }}
|
||||
{{- printf "%1.f" $endpointPort -}}
|
||||
{{- end -}}
|
@ -0,0 +1,36 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Gets the token for an endpoint
|
||||
values: |
|
||||
endpoints:
|
||||
keystone:
|
||||
auth:
|
||||
admin:
|
||||
token: zh78JzXgw6YUKy2e
|
||||
usage: |
|
||||
{{ tuple "keystone" "admin" . | include "helm-toolkit.endpoints.endpoint_token_lookup" }}
|
||||
return: |
|
||||
zh78JzXgw6YUKy2e
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.endpoint_token_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $userName := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $serviceToken := index $context.Values.endpoints ( $type | replace "-" "_" ) "auth" $userName "token" }}
|
||||
{{- printf "%s" $serviceToken -}}
|
||||
{{- end -}}
|
@ -0,0 +1,59 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves 'hostname:port' for an endpoint
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
mariadb.default.svc.cluster.local:3306
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: 127.0.0.1
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
127.0.0.1:3306
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $port := index . 2 -}}
|
||||
{{- $context := index . 3 -}}
|
||||
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $endpointHostname := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
{{- printf "%s:%s" $endpointHostname $endpointPort -}}
|
||||
{{- end -}}
|
@ -0,0 +1,76 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the fully qualified hostname for an endpoint
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
return: |
|
||||
mariadb.default.svc.cluster.local
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: mariadb.openstackhelm.openstack.org
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
return: |
|
||||
mariadb.openstackhelm.openstack.org
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default:
|
||||
host: mariadb.openstackhelm.openstack.org
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
return: |
|
||||
mariadb.openstackhelm.openstack.org
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- $endpointHostNamespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
||||
{{- $endpointClusterHostname := printf "%s.svc.%s" $endpointHostNamespaced $context.Values.endpoints.cluster_domain_suffix }}
|
||||
{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $endpointMap.host_fqdn_override "default" | default "" ) }}
|
||||
{{- if kindIs "map" $context.Values.__FQDNendpointHostDefault }}
|
||||
{{- $_ := set $context.Values "__FQDNendpointHostDefault" ( index $context.Values.__FQDNendpointHostDefault "host" ) }}
|
||||
{{- end }}
|
||||
{{- if kindIs "map" (index $endpointMap.host_fqdn_override $endpoint) }}
|
||||
{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint "host" | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
|
||||
{{- printf "%s" $endpointHostname -}}
|
||||
{{- else }}
|
||||
{{- $endpointHostname := index $endpointMap.host_fqdn_override $endpoint | default $context.Values.__FQDNendpointHostDefault | default $endpointClusterHostname }}
|
||||
{{- printf "%s" $endpointHostname -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,40 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the namespace scoped hostname for an endpoint
|
||||
values: |
|
||||
endpoints:
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
||||
return: |
|
||||
mariadb.default
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
|
||||
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $endpointClusterHostname := printf "%s.%s" $endpointHost $namespace }}
|
||||
{{- printf "%s" $endpointClusterHostname -}}
|
||||
{{- end -}}
|
@ -0,0 +1,38 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the namespace scoped hostname for an endpoint
|
||||
values: |
|
||||
endpoints:
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" }}
|
||||
return: |
|
||||
default
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.hostname_namespaced_endpoint_namespace_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- $namespace := $endpointMap.namespace | default $context.Release.Namespace }}
|
||||
{{- printf "%s" $namespace -}}
|
||||
{{- end -}}
|
@ -0,0 +1,61 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the short hostname for an endpoint
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
return: |
|
||||
mariadb
|
||||
- values: |
|
||||
endpoints:
|
||||
oslo_db:
|
||||
hosts:
|
||||
default:
|
||||
host: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
return: |
|
||||
mariadb
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- $endpointScheme := $endpointMap.scheme }}
|
||||
{{- $_ := set $context.Values "__endpointHost" ( index $endpointMap.hosts $endpoint | default $endpointMap.hosts.default ) }}
|
||||
{{- if kindIs "map" $context.Values.__endpointHost }}
|
||||
{{- $_ := set $context.Values "__endpointHost" ( index $context.Values.__endpointHost "host" ) }}
|
||||
{{- end }}
|
||||
{{- $endpointHost := $context.Values.__endpointHost }}
|
||||
{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointHost }}
|
||||
{{- printf "%s" $type -}}
|
||||
{{- else }}
|
||||
{{- $endpointHostname := printf "%s" $endpointHost }}
|
||||
{{- printf "%s" $endpointHostname -}}
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,34 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the service name for an service type
|
||||
values: |
|
||||
endpoints:
|
||||
identity:
|
||||
name: keystone
|
||||
usage: |
|
||||
{{ tuple identity . | include "keystone_endpoint_name_lookup" }}
|
||||
return: |
|
||||
"keystone"
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.keystone_endpoint_name_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $context := index . 1 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- $endpointName := index $endpointMap "name" }}
|
||||
{{- $endpointName | quote -}}
|
||||
{{- end -}}
|
@ -0,0 +1,48 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# FIXME(portdirect): it appears the port input here serves no purpose,
|
||||
# and should be removed. In addition this function is bugged, do we use it?
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the path for an endpoint
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
path:
|
||||
default: /dbname
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
|
||||
return: |
|
||||
/dbname
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.keystone_endpoint_path_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $port := index . 2 -}}
|
||||
{{- $context := index . 3 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- if kindIs "string" $endpointMap.path }}
|
||||
{{- printf "%s" $endpointMap.path | default "/" -}}
|
||||
{{- else -}}
|
||||
{{- $endpointPath := index $endpointMap.path $endpoint | default $endpointMap.path.default | default "/" }}
|
||||
{{- printf "%s" $endpointPath -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,55 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# FIXME(portdirect): it appears the port input here serves no purpose,
|
||||
# and should be removed. In addition this function is bugged, do we use it?
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves the scheme for an endpoint
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
scheme:
|
||||
default:
|
||||
mysql+pymysql
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
|
||||
return: |
|
||||
mysql+pymysql
|
||||
*/}}
|
||||
|
||||
# This function returns the scheme for a service, it takes an tuple
|
||||
# input in the form: service-type, endpoint-class, port-name. eg:
|
||||
# { tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_scheme_lookup" }
|
||||
# will return the scheme setting for this particular endpoint. In other words, for most endpoints
|
||||
# it will return either 'http' or 'https'
|
||||
|
||||
{{- define "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $port := index . 2 -}}
|
||||
{{- $context := index . 3 -}}
|
||||
{{- $endpointMap := index $context.Values.endpoints ( $type | replace "-" "_" ) }}
|
||||
{{- if kindIs "string" $endpointMap.scheme }}
|
||||
{{- printf "%s" $endpointMap.scheme | default "http" -}}
|
||||
{{- else -}}
|
||||
{{- $endpointScheme := index $endpointMap.scheme $endpoint | default $endpointMap.scheme.default | default "http" }}
|
||||
{{- printf "%s" $endpointScheme -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,52 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
This function helps resolve uri style endpoints. It will omit the port for
|
||||
http when 80 is used, and 443 in the case of https.
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path: /dbname
|
||||
scheme: mysql+pymysql
|
||||
port:
|
||||
mysql:
|
||||
default: 3306
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" "mysql" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
|
||||
return: |
|
||||
mysql+pymysql://mariadb.default.svc.cluster.local:3306/dbname
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $port := index . 2 -}}
|
||||
{{- $context := index . 3 -}}
|
||||
{{- $endpointScheme := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" }}
|
||||
{{- $endpointHost := tuple $type $endpoint $context | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
{{- $endpointPort := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $endpointPath := tuple $type $endpoint $port $context | include "helm-toolkit.endpoints.keystone_endpoint_path_lookup" }}
|
||||
{{- if or ( and ( eq $endpointScheme "http" ) ( eq $endpointPort "80" ) ) ( and ( eq $endpointScheme "https" ) ( eq $endpointPort "443" ) ) -}}
|
||||
{{- printf "%s://%s%s" $endpointScheme $endpointHost $endpointPath -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s://%s:%s%s" $endpointScheme $endpointHost $endpointPort $endpointPath -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,61 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
This function returns endpoint "<namespace>:<name>" pair from an endpoint
|
||||
definition. This is used in kubernetes-entrypoint to support dependencies
|
||||
between different services in different namespaces.
|
||||
returns: the endpoint namespace and the service name, delimited by a colon
|
||||
|
||||
Normally, the service name is constructed dynamically from the hostname
|
||||
however when an ip address is used as the hostname, we default to
|
||||
namespace:endpointCategoryName in order to construct a valid service name
|
||||
however this can be overridden to a custom service name by defining
|
||||
.service.name within the endpoint definition
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
namespace: foo
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
usage: |
|
||||
{{ tuple oslo_db internal . | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}
|
||||
return: |
|
||||
foo:mariadb
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $typeYamlSafe := $type | replace "-" "_" }}
|
||||
{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
|
||||
{{- with $endpointMap -}}
|
||||
{{- $endpointName := index .hosts $endpoint | default .hosts.default }}
|
||||
{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
|
||||
{{- if regexMatch "[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+" $endpointName }}
|
||||
{{- if .service.name }}
|
||||
{{- printf "%s:%s" $endpointNamespace .service.name -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s:%s" $endpointNamespace $typeYamlSafe -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s:%s" $endpointNamespace $endpointName -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,111 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a manifest for kubernete ceph storageclass
|
||||
examples:
|
||||
- values: |
|
||||
manifests:
|
||||
storageclass: true
|
||||
storageclass:
|
||||
rbd:
|
||||
provision_storage_class: true
|
||||
provisioner: "ceph.com/rbd"
|
||||
metadata:
|
||||
default_storage_class: true
|
||||
name: general
|
||||
parameters:
|
||||
#We will grab the monitors value based on helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup
|
||||
pool: rbd
|
||||
admin_id: admin
|
||||
ceph_configmap_name: "ceph-etc"
|
||||
admin_secret_name: "pvc-ceph-conf-combined-storageclass"
|
||||
admin_secret_namespace: ceph
|
||||
user_id: admin
|
||||
user_secret_name: "pvc-ceph-client-key"
|
||||
image_format: "2"
|
||||
image_features: layering
|
||||
cephfs:
|
||||
provision_storage_class: true
|
||||
provisioner: "ceph.com/cephfs"
|
||||
metadata:
|
||||
name: cephfs
|
||||
parameters:
|
||||
admin_id: admin
|
||||
admin_secret_name: "pvc-ceph-cephfs-client-key"
|
||||
admin_secret_namespace: ceph
|
||||
usage: |
|
||||
{{- range $storageclass, $val := .Values.storageclass }}
|
||||
{{ dict "storageclass_data" $val "envAll" $ | include "helm-toolkit.manifests.ceph-storageclass" }}
|
||||
{{- end }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
name: general
|
||||
provisioner: ceph.com/rbd
|
||||
parameters:
|
||||
monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
|
||||
adminId: admin
|
||||
adminSecretName: pvc-ceph-conf-combined-storageclass
|
||||
adminSecretNamespace: ceph
|
||||
pool: rbd
|
||||
userId: admin
|
||||
userSecretName: pvc-ceph-client-key
|
||||
image_format: "2"
|
||||
image_features: layering
|
||||
---
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
name: cephfs
|
||||
provisioner: ceph.com/cephfs
|
||||
parameters:
|
||||
monitors: ceph-mon.<ceph-namespace>.svc.<k8s-domain-name>:6789
|
||||
adminId: admin
|
||||
adminSecretName: pvc-ceph-cephfs-client-key
|
||||
adminSecretNamespace: ceph
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.ceph-storageclass" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $monHost := $envAll.Values.conf.ceph.global.mon_host -}}
|
||||
{{- if empty $monHost -}}
|
||||
{{- $monHost = tuple "ceph_mon" "internal" "mon" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" -}}
|
||||
{{- end -}}
|
||||
{{- $storageclassData := index . "storageclass_data" -}}
|
||||
---
|
||||
{{- if $storageclassData.provision_storage_class }}
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
{{- if $storageclassData.metadata.default_storage_class }}
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
{{- end }}
|
||||
name: {{ $storageclassData.metadata.name }}
|
||||
provisioner: {{ $storageclassData.provisioner }}
|
||||
parameters:
|
||||
monitors: {{ $monHost }}
|
||||
{{- range $attr, $value := $storageclassData.parameters }}
|
||||
{{ $attr }}: {{ $value | quote }}
|
||||
{{- end }}
|
||||
allowVolumeExpansion: true
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
108
charts/deps/helm-toolkit/templates/manifests/_certificates.tpl
Normal file
108
charts/deps/helm-toolkit/templates/manifests/_certificates.tpl
Normal file
@ -0,0 +1,108 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a certificate using jetstack
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
dashboard:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
host: null
|
||||
tls:
|
||||
secretName: keystone-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
duration: 2160h
|
||||
organization:
|
||||
- ACME
|
||||
commonName: keystone-api.openstack.svc.cluster.local
|
||||
privateKey:
|
||||
size: 2048
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
- cluster.local
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
usage: |
|
||||
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
|
||||
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: keystone-tls-api
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
commonName: keystone-api.openstack.svc.cluster.local
|
||||
dnsNames:
|
||||
- cluster.local
|
||||
duration: 2160h
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
privateKey:
|
||||
size: 2048
|
||||
organization:
|
||||
- ACME
|
||||
secretName: keystone-tls-api
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.certificates" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $service := index . "service" -}}
|
||||
{{- $type := index . "type" | default "" -}}
|
||||
{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
|
||||
{{/* Put in some sensible default value if one is not provided by values.yaml */}}
|
||||
{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
|
||||
This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
|
||||
{{- if not (hasKey $slice "dnsNames") -}}
|
||||
{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
|
||||
{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
|
||||
{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
|
||||
{{- end -}}
|
||||
{{/* Default privateKey size to 4096. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "privateKey") -}}
|
||||
{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}}
|
||||
{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}}
|
||||
{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}}
|
||||
{{- end -}}
|
||||
{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "duration") -}}
|
||||
{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
|
||||
{{- end -}}
|
||||
{{/* Default renewBefore to 15 days. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "renewBefore") -}}
|
||||
{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
|
||||
{{- end -}}
|
||||
{{/* Default the usage to server auth and client auth. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "usages") -}}
|
||||
{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
|
||||
{{- end -}}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
spec:
|
||||
{{ $slice | toYaml | indent 2 }}
|
||||
{{- end -}}
|
727
charts/deps/helm-toolkit/templates/manifests/_ingress.tpl
Normal file
727
charts/deps/helm-toolkit/templates/manifests/_ingress.tpl
Normal file
@ -0,0 +1,727 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a manifest for a services ingress rules.
|
||||
examples:
|
||||
- values: |
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
public: true
|
||||
classes:
|
||||
namespace: "nginx"
|
||||
cluster: "nginx-cluster"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
secrets:
|
||||
tls:
|
||||
key_manager:
|
||||
api:
|
||||
public: barbican-tls-public
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
key_manager:
|
||||
name: barbican
|
||||
hosts:
|
||||
default: barbican-api
|
||||
public: barbican
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
public:
|
||||
host: barbican.openstackhelm.example
|
||||
tls:
|
||||
crt: |
|
||||
FOO-CRT
|
||||
key: |
|
||||
FOO-KEY
|
||||
ca: |
|
||||
FOO-CA_CRT
|
||||
path:
|
||||
default: /
|
||||
scheme:
|
||||
default: http
|
||||
public: https
|
||||
port:
|
||||
api:
|
||||
default: 9311
|
||||
public: 80
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: barbican
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
rules:
|
||||
- host: barbican
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default.svc.cluster.local
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: barbican-namespace-fqdn
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- secretName: barbican-tls-public
|
||||
hosts:
|
||||
- barbican.openstackhelm.example
|
||||
rules:
|
||||
- host: barbican.openstackhelm.example
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: barbican-cluster-fqdn
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx-cluster"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- secretName: barbican-tls-public
|
||||
hosts:
|
||||
- barbican.openstackhelm.example
|
||||
rules:
|
||||
- host: barbican.openstackhelm.example
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- values: |
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
public: true
|
||||
classes:
|
||||
namespace: "nginx"
|
||||
cluster: "nginx-cluster"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
secrets:
|
||||
tls:
|
||||
key_manager:
|
||||
api:
|
||||
public: barbican-tls-public
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
key_manager:
|
||||
name: barbican
|
||||
hosts:
|
||||
default: barbican-api
|
||||
public:
|
||||
host: barbican
|
||||
tls:
|
||||
crt: |
|
||||
FOO-CRT
|
||||
key: |
|
||||
FOO-KEY
|
||||
ca: |
|
||||
FOO-CA_CRT
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: /
|
||||
scheme:
|
||||
default: http
|
||||
public: https
|
||||
port:
|
||||
api:
|
||||
default: 9311
|
||||
public: 80
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: barbican
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- secretName: barbican-tls-public
|
||||
hosts:
|
||||
- barbican
|
||||
- barbican.default
|
||||
- barbican.default.svc.cluster.local
|
||||
rules:
|
||||
- host: barbican
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default.svc.cluster.local
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- values: |
|
||||
cert_issuer_type: issuer
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
public: true
|
||||
classes:
|
||||
namespace: "nginx"
|
||||
cluster: "nginx-cluster"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
secrets:
|
||||
tls:
|
||||
key_manager:
|
||||
api:
|
||||
public: barbican-tls-public
|
||||
internal: barbican-tls-api
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
key_manager:
|
||||
name: barbican
|
||||
hosts:
|
||||
default: barbican-api
|
||||
public:
|
||||
host: barbican
|
||||
tls:
|
||||
crt: |
|
||||
FOO-CRT
|
||||
key: |
|
||||
FOO-KEY
|
||||
ca: |
|
||||
FOO-CA_CRT
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: /
|
||||
scheme:
|
||||
default: http
|
||||
public: https
|
||||
port:
|
||||
api:
|
||||
default: 9311
|
||||
public: 80
|
||||
certs:
|
||||
barbican_tls_api:
|
||||
secretName: barbican-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: Issuer
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: barbican
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/issuer: ca-issuer
|
||||
certmanager.k8s.io/issuer: ca-issuer
|
||||
nginx.ingress.kubernetes.io/backend-protocol: https
|
||||
nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||
spec:
|
||||
tls:
|
||||
- secretName: barbican-tls-public-certmanager
|
||||
hosts:
|
||||
- barbican
|
||||
- barbican.default
|
||||
- barbican.default.svc.cluster.local
|
||||
rules:
|
||||
- host: barbican
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default.svc.cluster.local
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
|
||||
- values: |
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
public: true
|
||||
classes:
|
||||
namespace: "nginx"
|
||||
cluster: "nginx-cluster"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "https"
|
||||
secrets:
|
||||
tls:
|
||||
key_manager:
|
||||
api:
|
||||
public: barbican-tls-public
|
||||
internal: barbican-tls-api
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
key_manager:
|
||||
name: barbican
|
||||
hosts:
|
||||
default: barbican-api
|
||||
public:
|
||||
host: barbican
|
||||
tls:
|
||||
crt: |
|
||||
FOO-CRT
|
||||
key: |
|
||||
FOO-KEY
|
||||
ca: |
|
||||
FOO-CA_CRT
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: /
|
||||
scheme:
|
||||
default: http
|
||||
public: https
|
||||
port:
|
||||
api:
|
||||
default: 9311
|
||||
public: 80
|
||||
certs:
|
||||
barbican_tls_api:
|
||||
secretName: barbican-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: barbican
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
certmanager.k8s.io/cluster-issuer: ca-issuer
|
||||
nginx.ingress.kubernetes.io/backend-protocol: https
|
||||
nginx.ingress.kubernetes.io/secure-backends: "true"
|
||||
spec:
|
||||
tls:
|
||||
- secretName: barbican-tls-public-certmanager
|
||||
hosts:
|
||||
- barbican
|
||||
- barbican.default
|
||||
- barbican.default.svc.cluster.local
|
||||
rules:
|
||||
- host: barbican
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
- host: barbican.default.svc.cluster.local
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: barbican-api
|
||||
port:
|
||||
name: b-api
|
||||
# Sample usage for multiple DNS names associated with the same public
|
||||
# endpoint and certificate
|
||||
- values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
grafana:
|
||||
name: grafana
|
||||
hosts:
|
||||
default: grafana-dashboard
|
||||
public: grafana
|
||||
host_fqdn_override:
|
||||
public:
|
||||
host: grafana.openstackhelm.example
|
||||
tls:
|
||||
dnsNames:
|
||||
- grafana-alt.openstackhelm.example
|
||||
crt: "BASE64 ENCODED CERT"
|
||||
key: "BASE64 ENCODED KEY"
|
||||
network:
|
||||
grafana:
|
||||
ingress:
|
||||
classes:
|
||||
namespace: "nginx"
|
||||
cluster: "nginx-cluster"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
secrets:
|
||||
tls:
|
||||
grafana:
|
||||
grafana:
|
||||
public: grafana-tls-public
|
||||
usage: |
|
||||
{{- $ingressOpts := dict "envAll" . "backendService" "grafana" "backendServiceType" "grafana" "backendPort" "dashboard" -}}
|
||||
{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: grafana
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
rules:
|
||||
- host: grafana
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
- host: grafana.default
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
- host: grafana.default.svc.cluster.local
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: grafana-namespace-fqdn
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- secretName: grafana-tls-public
|
||||
hosts:
|
||||
- grafana.openstackhelm.example
|
||||
- grafana-alt.openstackhelm.example
|
||||
rules:
|
||||
- host: grafana.openstackhelm.example
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
- host: grafana-alt.openstackhelm.example
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: grafana-cluster-fqdn
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx-cluster"
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||
|
||||
spec:
|
||||
tls:
|
||||
- secretName: grafana-tls-public
|
||||
hosts:
|
||||
- grafana.openstackhelm.example
|
||||
- grafana-alt.openstackhelm.example
|
||||
rules:
|
||||
- host: grafana.openstackhelm.example
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
- host: grafana-alt.openstackhelm.example
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: grafana-dashboard
|
||||
port:
|
||||
name: dashboard
|
||||
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.ingress._host_rules" -}}
|
||||
{{- $vHost := index . "vHost" -}}
|
||||
{{- $backendName := index . "backendName" -}}
|
||||
{{- $backendPort := index . "backendPort" -}}
|
||||
- host: {{ $vHost }}
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: {{ $backendName }}
|
||||
port:
|
||||
{{- if or (kindIs "int" $backendPort) (regexMatch "^[0-9]{1,5}$" $backendPort) }}
|
||||
number: {{ $backendPort | int }}
|
||||
{{- else }}
|
||||
name: {{ $backendPort | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "helm-toolkit.manifests.ingress" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $backendService := index . "backendService" | default "api" -}}
|
||||
{{- $backendServiceType := index . "backendServiceType" -}}
|
||||
{{- $backendPort := index . "backendPort" -}}
|
||||
{{- $endpoint := index . "endpoint" | default "public" -}}
|
||||
{{- $certIssuer := index . "certIssuer" | default "" -}}
|
||||
{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
{{- $certIssuerType := "cluster-issuer" -}}
|
||||
{{- if $envAll.Values.cert_issuer_type }}
|
||||
{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ $ingressName }}
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" "namespace" | quote }}
|
||||
{{- if $certIssuer }}
|
||||
cert-manager.io/{{ $certIssuerType }}: {{ $certIssuer }}
|
||||
certmanager.k8s.io/{{ $certIssuerType }}: {{ $certIssuer }}
|
||||
{{- $slice := index $envAll.Values.endpoints $backendServiceType "host_fqdn_override" "default" "tls" -}}
|
||||
{{- if (hasKey $slice "duration") }}
|
||||
cert-manager.io/duration: {{ index $slice "duration" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
|
||||
spec:
|
||||
{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "hosts" }}
|
||||
{{- if $certIssuer }}
|
||||
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
|
||||
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
|
||||
tls:
|
||||
- secretName: {{ printf "%s-ing" $secretName }}
|
||||
hosts:
|
||||
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
|
||||
- {{ $vHost }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- if hasKey $host $endpoint }}
|
||||
{{- $endpointHost := index $host $endpoint }}
|
||||
{{- if kindIs "map" $endpointHost }}
|
||||
{{- if hasKey $endpointHost "tls" }}
|
||||
{{- if and ( not ( empty $endpointHost.tls.key ) ) ( not ( empty $endpointHost.tls.crt ) ) }}
|
||||
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
|
||||
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
|
||||
tls:
|
||||
- secretName: {{ $secretName }}
|
||||
hosts:
|
||||
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
|
||||
- {{ $vHost }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range $key1, $vHost := tuple $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) }}
|
||||
{{- $hostRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
|
||||
{{ $hostRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if not ( hasSuffix ( printf ".%s.svc.%s" $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) $hostNameFull) }}
|
||||
{{- $ingressConf := $envAll.Values.network -}}
|
||||
{{- $ingressClasses := ternary (tuple "namespace") (tuple "namespace" "cluster") (and (hasKey $ingressConf "use_external_ingress_controller") $ingressConf.use_external_ingress_controller) }}
|
||||
{{- range $key2, $ingressController := $ingressClasses }}
|
||||
{{- $vHosts := list $hostNameFull }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ printf "%s-%s-%s" $ingressName $ingressController "fqdn" }}
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: {{ index $envAll.Values.network $backendService "ingress" "classes" $ingressController | quote }}
|
||||
{{ toYaml (index $envAll.Values.network $backendService "ingress" "annotations") | indent 4 }}
|
||||
spec:
|
||||
{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
|
||||
{{- if hasKey $host $endpoint }}
|
||||
{{- $endpointHost := index $host $endpoint }}
|
||||
{{- if kindIs "map" $endpointHost }}
|
||||
{{- if hasKey $endpointHost "tls" }}
|
||||
{{- range $v := without (index $endpointHost.tls "dnsNames" | default list) $hostNameFull }}
|
||||
{{- $vHosts = append $vHosts $v }}
|
||||
{{- end }}
|
||||
{{- $secretName := index $envAll.Values.secrets "tls" ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
|
||||
{{- $_ := required "You need to specify a secret in your values for the endpoint" $secretName }}
|
||||
tls:
|
||||
- secretName: {{ $secretName }}
|
||||
hosts:
|
||||
{{- range $vHost := $vHosts }}
|
||||
- {{ $vHost }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- range $vHost := $vHosts }}
|
||||
{{- $hostNameFullRules := dict "vHost" $vHost "backendName" $backendName "backendPort" $backendPort }}
|
||||
{{ $hostNameFullRules | include "helm-toolkit.manifests.ingress._host_rules" | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
141
charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl
Normal file
141
charts/deps/helm-toolkit/templates/manifests/_job-bootstrap.tpl
Normal file
@ -0,0 +1,141 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for db creation and user management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $bootstrapJob := dict "envAll" . "serviceName" "senlin" -}
|
||||
# { $bootstrapJob | include "helm-toolkit.manifests.job_bootstrap" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_bootstrap" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $podVolMounts := index . "podVolMounts" | default false -}}
|
||||
{{- $podVols := index . "podVols" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
|
||||
{{- $configFile := index . "configFile" | default (printf "/etc/%s/%s.conf" $serviceName $serviceName ) -}}
|
||||
{{- $logConfigFile := index . "logConfigFile" | default (printf "/etc/%s/logging.conf" $serviceName ) -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $keystoneUser := index . "keystoneUser" | default $serviceName -}}
|
||||
{{- $openrc := index . "openrc" | default "true" -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "bootstrap" }}
|
||||
{{ tuple $envAll "bootstrap" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "bootstrap" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "bootstrap" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: bootstrap
|
||||
image: {{ $envAll.Values.images.tags.bootstrap }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.bootstrap | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{- if eq $openrc "true" }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" ( index $envAll.Values.secrets.identity $keystoneUser ) "useCA" (ne $tlsSecret "") }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/bootstrap.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: bootstrap-sh
|
||||
mountPath: /tmp/bootstrap.sh
|
||||
subPath: bootstrap.sh
|
||||
readOnly: true
|
||||
- name: etc-service
|
||||
mountPath: {{ dir $configFile | quote }}
|
||||
- name: bootstrap-conf
|
||||
mountPath: {{ $configFile | quote }}
|
||||
subPath: {{ base $configFile | quote }}
|
||||
readOnly: true
|
||||
- name: bootstrap-conf
|
||||
mountPath: {{ $logConfigFile | quote }}
|
||||
subPath: {{ base $logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{ dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- if $podVolMounts }}
|
||||
{{ $podVolMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: bootstrap-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
- name: etc-service
|
||||
emptyDir: {}
|
||||
- name: bootstrap-conf
|
||||
secret:
|
||||
secretName: {{ $configMapEtc | quote }}
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" (ne $tlsSecret "") "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- if $podVols }}
|
||||
{{ $podVols | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,170 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for db creation and user management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $dbToDropJob := dict "envAll" . "serviceName" "senlin" -}
|
||||
# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
|
||||
#
|
||||
# If the service does not use oslo then the db can be managed with:
|
||||
# {- $dbToDrop := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
|
||||
# {- $dbToDropJob := dict "envAll" . "serviceName" "horizon" "dbToDrop" $dbToDrop -}
|
||||
# { $dbToDropJob | include "helm-toolkit.manifests.job_db_drop_mysql" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_db_drop_mysql" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
|
||||
{{- $dbToDrop := index . "dbToDrop" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
|
||||
{{- $dbsToDrop := default (list $dbToDrop) (index . "dbsToDrop") }}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-drop" }}
|
||||
{{ tuple $envAll "db_drop" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "db-drop" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "db_drop" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "db_drop" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
{{- range $key1, $dbToDrop := $dbsToDrop }}
|
||||
{{ $dbToDropType := default "oslo" $dbToDrop.inputType }}
|
||||
- name: {{ printf "%s-%s-%d" $serviceNamePretty "db-drop" $key1 | quote }}
|
||||
image: {{ $envAll.Values.images.tags.db_drop }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_drop | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
- name: ROOT_DB_CONNECTION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $dbToDrop.adminSecret | quote }}
|
||||
key: DB_CONNECTION
|
||||
{{- if eq $dbToDropType "oslo" }}
|
||||
- name: OPENSTACK_CONFIG_FILE
|
||||
value: {{ $dbToDrop.configFile | quote }}
|
||||
- name: OPENSTACK_CONFIG_DB_SECTION
|
||||
value: {{ $dbToDrop.configDbSection | quote }}
|
||||
- name: OPENSTACK_CONFIG_DB_KEY
|
||||
value: {{ $dbToDrop.configDbKey | quote }}
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
{{- if eq $dbToDropType "secret" }}
|
||||
- name: DB_CONNECTION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $dbToDrop.userSecret | quote }}
|
||||
key: DB_CONNECTION
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/db-drop.py
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: db-drop-sh
|
||||
mountPath: /tmp/db-drop.py
|
||||
subPath: db-drop.py
|
||||
readOnly: true
|
||||
|
||||
{{- if eq $dbToDropType "oslo" }}
|
||||
- name: etc-service
|
||||
mountPath: {{ dir $dbToDrop.configFile | quote }}
|
||||
- name: db-drop-conf
|
||||
mountPath: {{ $dbToDrop.configFile | quote }}
|
||||
subPath: {{ base $dbToDrop.configFile | quote }}
|
||||
readOnly: true
|
||||
- name: db-drop-conf
|
||||
mountPath: {{ $dbToDrop.logConfigFile | quote }}
|
||||
subPath: {{ base $dbToDrop.logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: db-drop-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- $local := dict "configMapBinFirst" true -}}
|
||||
{{- range $key1, $dbToDrop := $dbsToDrop }}
|
||||
{{- $dbToDropType := default "oslo" $dbToDrop.inputType }}
|
||||
{{- if and (eq $dbToDropType "oslo") $local.configMapBinFirst }}
|
||||
{{- $_ := set $local "configMapBinFirst" false }}
|
||||
- name: etc-service
|
||||
emptyDir: {}
|
||||
- name: db-drop-conf
|
||||
secret:
|
||||
secretName: {{ $configMapEtc | quote }}
|
||||
defaultMode: 0444
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,169 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for db creation and user management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $dbToInitJob := dict "envAll" . "serviceName" "senlin" -}
|
||||
# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
|
||||
#
|
||||
# If the service does not use oslo then the db can be managed with:
|
||||
# {- $dbToInit := dict "inputType" "secret" "adminSecret" .Values.secrets.oslo_db.admin "userSecret" .Values.secrets.oslo_db.horizon -}
|
||||
# {- $dbToInitJob := dict "envAll" . "serviceName" "horizon" "dbToInit" $dbToInit -}
|
||||
# { $dbToInitJob | include "helm-toolkit.manifests.job_db_init_mysql" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_db_init_mysql" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
|
||||
{{- $dbToInit := index . "dbToInit" | default ( dict "adminSecret" $envAll.Values.secrets.oslo_db.admin "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "configDbSection" "database" "configDbKey" "connection" ) -}}
|
||||
{{- $dbsToInit := default (list $dbToInit) (index . "dbsToInit") }}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-init" }}
|
||||
{{ tuple $envAll "db_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "db-init" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "db_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "db_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
{{- range $key1, $dbToInit := $dbsToInit }}
|
||||
{{ $dbToInitType := default "oslo" $dbToInit.inputType }}
|
||||
- name: {{ printf "%s-%s-%d" $serviceNamePretty "db-init" $key1 | quote }}
|
||||
image: {{ $envAll.Values.images.tags.db_init }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
- name: ROOT_DB_CONNECTION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $dbToInit.adminSecret | quote }}
|
||||
key: DB_CONNECTION
|
||||
{{- if eq $dbToInitType "oslo" }}
|
||||
- name: OPENSTACK_CONFIG_FILE
|
||||
value: {{ $dbToInit.configFile | quote }}
|
||||
- name: OPENSTACK_CONFIG_DB_SECTION
|
||||
value: {{ $dbToInit.configDbSection | quote }}
|
||||
- name: OPENSTACK_CONFIG_DB_KEY
|
||||
value: {{ $dbToInit.configDbKey | quote }}
|
||||
{{- end }}
|
||||
{{- if eq $dbToInitType "secret" }}
|
||||
- name: DB_CONNECTION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $dbToInit.userSecret | quote }}
|
||||
key: DB_CONNECTION
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
- name: MARIADB_X509
|
||||
value: "REQUIRE X509"
|
||||
{{- end }}
|
||||
command:
|
||||
- /tmp/db-init.py
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: db-init-sh
|
||||
mountPath: /tmp/db-init.py
|
||||
subPath: db-init.py
|
||||
readOnly: true
|
||||
{{- if eq $dbToInitType "oslo" }}
|
||||
- name: etc-service
|
||||
mountPath: {{ dir $dbToInit.configFile | quote }}
|
||||
- name: db-init-conf
|
||||
mountPath: {{ $dbToInit.configFile | quote }}
|
||||
subPath: {{ base $dbToInit.configFile | quote }}
|
||||
readOnly: true
|
||||
- name: db-init-conf
|
||||
mountPath: {{ $dbToInit.logConfigFile | quote }}
|
||||
subPath: {{ base $dbToInit.logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: db-init-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- $local := dict "configMapBinFirst" true -}}
|
||||
{{- range $key1, $dbToInit := $dbsToInit }}
|
||||
{{- $dbToInitType := default "oslo" $dbToInit.inputType }}
|
||||
{{- if and (eq $dbToInitType "oslo") $local.configMapBinFirst }}
|
||||
{{- $_ := set $local "configMapBinFirst" false }}
|
||||
- name: etc-service
|
||||
emptyDir: {}
|
||||
- name: db-init-conf
|
||||
secret:
|
||||
secretName: {{ $configMapEtc | quote }}
|
||||
defaultMode: 0444
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
137
charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl
Normal file
137
charts/deps/helm-toolkit/templates/manifests/_job-db-sync.tpl
Normal file
@ -0,0 +1,137 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for db migration and management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $dbSyncJob := dict "envAll" . "serviceName" "senlin" -}
|
||||
# { $dbSyncJob | include "helm-toolkit.manifests.job_db_sync" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_db_sync" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $configMapEtc := index . "configMapEtc" | default (printf "%s-%s" $serviceName "etc" ) -}}
|
||||
{{- $podVolMounts := index . "podVolMounts" | default false -}}
|
||||
{{- $podVols := index . "podVols" | default false -}}
|
||||
{{- $podEnvVars := index . "podEnvVars" | default false -}}
|
||||
{{- $dbToSync := index . "dbToSync" | default ( dict "configFile" (printf "/etc/%s/%s.conf" $serviceName $serviceName ) "logConfigFile" (printf "/etc/%s/logging.conf" $serviceName ) "image" ( index $envAll.Values.images.tags ( printf "%s_db_sync" $serviceName )) ) -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $dbAdminTlsSecret := index . "dbAdminTlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "db-sync" }}
|
||||
{{ tuple $envAll "db_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "db_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "db_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: {{ printf "%s-%s" $serviceNamePretty "db-sync" | quote }}
|
||||
image: {{ $dbToSync.image | quote }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{- if $podEnvVars }}
|
||||
env:
|
||||
{{ $podEnvVars | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/db-sync.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: db-sync-sh
|
||||
mountPath: /tmp/db-sync.sh
|
||||
subPath: db-sync.sh
|
||||
readOnly: true
|
||||
- name: etc-service
|
||||
mountPath: {{ dir $dbToSync.configFile | quote }}
|
||||
- name: db-sync-conf
|
||||
mountPath: {{ $dbToSync.configFile | quote }}
|
||||
subPath: {{ base $dbToSync.configFile | quote }}
|
||||
readOnly: true
|
||||
- name: db-sync-conf
|
||||
mountPath: {{ $dbToSync.logConfigFile | quote }}
|
||||
subPath: {{ base $dbToSync.logConfigFile | quote }}
|
||||
readOnly: true
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- if $podVolMounts }}
|
||||
{{ $podVolMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: db-sync-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
- name: etc-service
|
||||
emptyDir: {}
|
||||
- name: db-sync-conf
|
||||
secret:
|
||||
secretName: {{ $configMapEtc | quote }}
|
||||
defaultMode: 0444
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $dbAdminTlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- if $podVols }}
|
||||
{{ $podVols | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,130 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for keystone service management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $ksEndpointJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
|
||||
# { $ksEndpointJob | include "helm-toolkit.manifests.job_ks_endpoints" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_ks_endpoints" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $serviceTypes := index . "serviceTypes" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $restartPolicy_ := "OnFailure" -}}
|
||||
{{- if hasKey $envAll.Values "jobs" -}}
|
||||
{{- if hasKey $envAll.Values.jobs "ks_endpoints" -}}
|
||||
{{- $restartPolicy_ = $envAll.Values.jobs.ks_endpoints.restartPolicy | default $restartPolicy_ }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-endpoints" }}
|
||||
{{ tuple $envAll "ks_endpoints" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "ks-endpoints" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: {{ $restartPolicy }}
|
||||
{{ tuple $envAll "ks_endpoints" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "ks_endpoints" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
{{- range $key1, $osServiceType := $serviceTypes }}
|
||||
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
|
||||
- name: {{ printf "%s-%s-%s" $osServiceType "ks-endpoints" $osServiceEndPoint | quote }}
|
||||
image: {{ $envAll.Values.images.tags.ks_endpoints }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/ks-endpoints.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: ks-endpoints-sh
|
||||
mountPath: /tmp/ks-endpoints.sh
|
||||
subPath: ks-endpoints.sh
|
||||
readOnly: true
|
||||
{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: OS_SVC_ENDPOINT
|
||||
value: {{ $osServiceEndPoint | quote }}
|
||||
- name: OS_SERVICE_NAME
|
||||
value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
|
||||
- name: OS_SERVICE_TYPE
|
||||
value: {{ $osServiceType | quote }}
|
||||
- name: OS_SERVICE_ENDPOINT
|
||||
value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: ks-endpoints-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
124
charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl
Normal file
124
charts/deps/helm-toolkit/templates/manifests/_job-ks-service.tpl
Normal file
@ -0,0 +1,124 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for keystone service management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $ksServiceJob := dict "envAll" . "serviceName" "senlin" "serviceTypes" ( tuple "clustering" ) -}
|
||||
# { $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_ks_service" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $serviceTypes := index . "serviceTypes" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $restartPolicy_ := "OnFailure" -}}
|
||||
{{- if hasKey $envAll.Values "jobs" -}}
|
||||
{{- if hasKey $envAll.Values.jobs "ks_service" -}}
|
||||
{{- $restartPolicy_ = $envAll.Values.jobs.ks_service.restartPolicy | default $restartPolicy_ }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "ks-service" }}
|
||||
{{ tuple $envAll "ks_service" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "ks-service" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: {{ $restartPolicy }}
|
||||
{{ tuple $envAll "ks_service" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "ks_service" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
{{- range $key1, $osServiceType := $serviceTypes }}
|
||||
- name: {{ printf "%s-%s" $osServiceType "ks-service-registration" | quote }}
|
||||
image: {{ $envAll.Values.images.tags.ks_service }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/ks-service.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: ks-service-sh
|
||||
mountPath: /tmp/ks-service.sh
|
||||
subPath: ks-service.sh
|
||||
readOnly: true
|
||||
{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: OS_SERVICE_NAME
|
||||
value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }}
|
||||
- name: OS_SERVICE_TYPE
|
||||
value: {{ $osServiceType | quote }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: ks-service-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
@ -0,0 +1,154 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for keystone user management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $ksUserJob := dict "envAll" . "serviceName" "senlin" }
|
||||
# { $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }
|
||||
|
||||
{{/*
|
||||
# To enable PodSecuritycontext (PodSecurityContext/v1) define the below in values.yaml:
|
||||
# example:
|
||||
# values: |
|
||||
# pod:
|
||||
# security_context:
|
||||
# ks_user:
|
||||
# pod:
|
||||
# runAsUser: 65534
|
||||
# To enable Container SecurityContext(SecurityContext/v1) for ks-user container define the values:
|
||||
# example:
|
||||
# values: |
|
||||
# pod:
|
||||
# security_context:
|
||||
# ks_user:
|
||||
# container:
|
||||
# ks-user:
|
||||
# runAsUser: 65534
|
||||
# readOnlyRootFilesystem: true
|
||||
# allowPrivilegeEscalation: false
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_ks_user" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
|
||||
{{- $restartPolicy_ := "OnFailure" -}}
|
||||
{{- if hasKey $envAll.Values "jobs" -}}
|
||||
{{- if hasKey $envAll.Values.jobs "ks_user" -}}
|
||||
{{- $restartPolicy_ = $envAll.Values.jobs.ks_user.restartPolicy | default $restartPolicy_ }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $restartPolicy := index . "restartPolicy" | default $restartPolicy_ -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "ks-user" }}
|
||||
{{ tuple $envAll "ks_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceUserPretty "ks-user" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName | quote }}
|
||||
{{ dict "envAll" $envAll "application" "ks_user" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
||||
restartPolicy: {{ $restartPolicy }}
|
||||
{{ tuple $envAll "ks_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "ks_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: ks-user
|
||||
image: {{ $envAll.Values.images.tags.ks_user }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
{{ dict "envAll" $envAll "application" "ks_user" "container" "ks_user" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/ks-user.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: ks-user-sh
|
||||
mountPath: /tmp/ks-user.sh
|
||||
subPath: ks-user.sh
|
||||
readOnly: true
|
||||
{{ dict "enabled" true "name" $tlsSecret "ca" true | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
env:
|
||||
{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin "useCA" (ne $tlsSecret "") }}
|
||||
{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_SERVICE_NAME
|
||||
value: {{ $serviceName | quote }}
|
||||
{{- with $env := dict "ksUserSecret" (index $envAll.Values.secrets.identity $serviceUser ) }}
|
||||
{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
- name: SERVICE_OS_ROLES
|
||||
{{- $serviceOsRoles := index $envAll.Values.endpoints.identity.auth $serviceUser "role" }}
|
||||
{{- if kindIs "slice" $serviceOsRoles }}
|
||||
value: {{ include "helm-toolkit.utils.joinListWithComma" $serviceOsRoles | quote }}
|
||||
{{- else }}
|
||||
value: {{ $serviceOsRoles | quote }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: ks-user-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- dict "enabled" true "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end -}}
|
@ -0,0 +1,129 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_rabbit_init" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $serviceUser := index . "serviceUser" | default $serviceName -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceUserPretty := $serviceUser | replace "_" "-" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $tlsPath := index . "tlsPath" | default "/etc/rabbitmq/certs" -}}
|
||||
{{- $tlsSecret := index . "tlsSecret" | default "" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceUserPretty "rabbit-init" }}
|
||||
{{ tuple $envAll "rabbit_init" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceUserPretty "rabbit-init" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "rabbit-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName | quote }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "rabbit_init" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "rabbit_init" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: rabbit-init
|
||||
image: {{ $envAll.Values.images.tags.rabbit_init | quote }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy | quote }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.rabbit_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/rabbit-init.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: rabbit-init-sh
|
||||
mountPath: /tmp/rabbit-init.sh
|
||||
subPath: rabbit-init.sh
|
||||
readOnly: true
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret "path" $tlsPath | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: RABBITMQ_ADMIN_CONNECTION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $envAll.Values.secrets.oslo_messaging.admin }}
|
||||
key: RABBITMQ_CONNECTION
|
||||
- name: RABBITMQ_USER_CONNECTION
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ index $envAll.Values.secrets.oslo_messaging $serviceName }}
|
||||
key: RABBITMQ_CONNECTION
|
||||
{{- if $envAll.Values.conf.rabbitmq }}
|
||||
- name: RABBITMQ_AUXILIARY_CONFIGURATION
|
||||
value: {{ toJson $envAll.Values.conf.rabbitmq | quote }}
|
||||
{{- end }}
|
||||
{{- if and $envAll.Values.manifests.certificates (ne $tlsSecret "") }}
|
||||
- name: RABBITMQ_X509
|
||||
value: "REQUIRE X509"
|
||||
- name: USER_CERT_PATH
|
||||
value: {{ $tlsPath | quote }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: rabbit-init-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- if $envAll.Values.manifests.certificates }}
|
||||
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $tlsSecret | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,147 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for linking an s3 bucket to an s3 user.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $s3BucketJob := dict "envAll" . "serviceName" "elasticsearch" }
|
||||
# { $s3BucketJob | include "helm-toolkit.manifests.job_s3_bucket" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_s3_bucket" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
|
||||
{{- $s3Bucket := index . "s3Bucket" | default $serviceName }}
|
||||
{{- $tlsCertificateSecret := index . "tlsCertificateSecret" -}}
|
||||
{{- $tlsCertificatePath := index . "tlsCertificatePath" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-bucket" }}
|
||||
{{ tuple $envAll "s3_bucket" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "s3-bucket" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "s3-bucket" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName | quote }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "s3_bucket" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "s3_bucket" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: s3-bucket
|
||||
image: {{ $envAll.Values.images.tags.s3_bucket }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_bucket | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/create-s3-bucket.sh
|
||||
env:
|
||||
{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: s3-bucket-sh
|
||||
mountPath: /tmp/create-s3-bucket.sh
|
||||
subPath: create-s3-bucket.sh
|
||||
readOnly: true
|
||||
- name: etcceph
|
||||
mountPath: /etc/ceph
|
||||
- name: ceph-etc
|
||||
mountPath: /etc/ceph/ceph.conf
|
||||
subPath: ceph.conf
|
||||
readOnly: true
|
||||
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
|
||||
- name: ceph-keyring
|
||||
mountPath: /tmp/client-keyring
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
|
||||
- name: {{ $tlsCertificateSecret }}
|
||||
mountPath: {{ $tlsCertificatePath }}
|
||||
subPath: ca.crt
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: s3-bucket-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
- name: etcceph
|
||||
emptyDir: {}
|
||||
- name: ceph-etc
|
||||
configMap:
|
||||
name: {{ $configMapCeph | quote }}
|
||||
defaultMode: 0444
|
||||
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
|
||||
- name: ceph-keyring
|
||||
secret:
|
||||
secretName: pvc-ceph-client-key
|
||||
{{ end }}
|
||||
{{- if and ($tlsCertificatePath) ($tlsCertificateSecret) }}
|
||||
- name: {{ $tlsCertificateSecret }}
|
||||
secret:
|
||||
secretName: {{ $tlsCertificateSecret }}
|
||||
defaultMode: 292
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,159 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for s3 user management.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $s3UserJob := dict "envAll" . "serviceName" "elasticsearch" }
|
||||
# { $s3UserJob | include "helm-toolkit.manifests.job_s3_user" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_s3_user" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $configMapCeph := index . "configMapCeph" | default (printf "ceph-etc" ) -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
{{- $s3UserSecret := index $envAll.Values.secrets.rgw $serviceName -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "s3-user" }}
|
||||
{{ tuple $envAll "s3_user" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "s3-user" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
"helm.sh/hook-delete-policy": before-hook-creation
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "s3-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName | quote }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "s3_user" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "s3_user" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
- name: ceph-keyring-placement
|
||||
image: {{ $envAll.Values.images.tags.ceph_key_placement }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
command:
|
||||
- /tmp/ceph-admin-keyring.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: etcceph
|
||||
mountPath: /etc/ceph
|
||||
- name: ceph-keyring-sh
|
||||
mountPath: /tmp/ceph-admin-keyring.sh
|
||||
subPath: ceph-admin-keyring.sh
|
||||
readOnly: true
|
||||
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
|
||||
- name: ceph-keyring
|
||||
mountPath: /tmp/client-keyring
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
containers:
|
||||
- name: s3-user
|
||||
image: {{ $envAll.Values.images.tags.s3_user }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.s3_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/create-s3-user.sh
|
||||
env:
|
||||
{{- with $env := dict "s3AdminSecret" $envAll.Values.secrets.rgw.admin }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_admin_env_vars" $env | indent 12 }}
|
||||
{{- end }}
|
||||
{{- include "helm-toolkit.snippets.rgw_s3_user_env_vars" $envAll | indent 12 }}
|
||||
- name: RGW_HOST
|
||||
value: {{ tuple "ceph_object_store" "internal" "api" $envAll | include "helm-toolkit.endpoints.host_and_port_endpoint_uri_lookup" }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: create-s3-user-sh
|
||||
mountPath: /tmp/create-s3-user.sh
|
||||
subPath: create-s3-user.sh
|
||||
readOnly: true
|
||||
- name: etcceph
|
||||
mountPath: /etc/ceph
|
||||
- name: ceph-etc
|
||||
mountPath: /etc/ceph/ceph.conf
|
||||
subPath: ceph.conf
|
||||
readOnly: true
|
||||
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
|
||||
- name: ceph-keyring
|
||||
mountPath: /tmp/client-keyring
|
||||
subPath: key
|
||||
readOnly: true
|
||||
{{ end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: create-s3-user-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
- name: ceph-keyring-sh
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
- name: etcceph
|
||||
emptyDir: {}
|
||||
- name: ceph-etc
|
||||
configMap:
|
||||
name: {{ $configMapCeph | quote }}
|
||||
defaultMode: 0444
|
||||
{{- if empty $envAll.Values.conf.ceph.admin_keyring }}
|
||||
- name: ceph-keyring
|
||||
secret:
|
||||
secretName: pvc-ceph-client-key
|
||||
{{ end }}
|
||||
{{- end -}}
|
@ -0,0 +1,119 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for the image repo sync jobs.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $imageRepoSyncJob := dict "envAll" . "serviceName" "prometheus" -}
|
||||
# { $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.job_image_repo_sync" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $serviceName := index . "serviceName" -}}
|
||||
{{- $jobAnnotations := index . "jobAnnotations" -}}
|
||||
{{- $jobLabels := index . "jobLabels" -}}
|
||||
{{- $nodeSelector := index . "nodeSelector" | default ( dict $envAll.Values.labels.job.node_selector_key $envAll.Values.labels.job.node_selector_value ) -}}
|
||||
{{- $tolerationsEnabled := index . "tolerationsEnabled" | default false -}}
|
||||
{{- $podVolMounts := index . "podVolMounts" | default false -}}
|
||||
{{- $podVols := index . "podVols" | default false -}}
|
||||
{{- $configMapBin := index . "configMapBin" | default (printf "%s-%s" $serviceName "bin" ) -}}
|
||||
{{- $secretBin := index . "secretBin" -}}
|
||||
{{- $backoffLimit := index . "backoffLimit" | default "1000" -}}
|
||||
{{- $activeDeadlineSeconds := index . "activeDeadlineSeconds" -}}
|
||||
{{- $serviceNamePretty := $serviceName | replace "_" "-" -}}
|
||||
|
||||
{{- $serviceAccountName := printf "%s-%s" $serviceNamePretty "image-repo-sync" }}
|
||||
{{ tuple $envAll "image_repo_sync" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ printf "%s-%s" $serviceNamePretty "image-repo-sync" | quote }}
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
"helm.sh/hook-delete-policy": before-hook-creation
|
||||
{{- if $jobAnnotations }}
|
||||
{{ toYaml $jobAnnotations | indent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ $backoffLimit }}
|
||||
{{- if $activeDeadlineSeconds }}
|
||||
activeDeadlineSeconds: {{ $activeDeadlineSeconds }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll $serviceName "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{- if $jobLabels }}
|
||||
{{ toYaml $jobLabels | indent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" | indent 6 }}
|
||||
nodeSelector:
|
||||
{{ toYaml $nodeSelector | indent 8 }}
|
||||
{{- if $tolerationsEnabled }}
|
||||
{{ tuple $envAll $serviceName | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
|
||||
{{- end}}
|
||||
initContainers:
|
||||
{{ tuple $envAll "image_repo_sync" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: image-repo-sync
|
||||
{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
||||
env:
|
||||
- name: LOCAL_REPO
|
||||
value: "{{ tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
|
||||
- name: IMAGE_SYNC_LIST
|
||||
value: "{{ include "helm-toolkit.utils.image_sync_list" $envAll }}"
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- /tmp/image-repo-sync.sh
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
mountPath: /tmp
|
||||
- name: bootstrap-sh
|
||||
mountPath: /tmp/image-repo-sync.sh
|
||||
subPath: image-repo-sync.sh
|
||||
readOnly: true
|
||||
- name: docker-socket
|
||||
mountPath: /var/run/docker.sock
|
||||
{{- if $podVolMounts }}
|
||||
{{ $podVolMounts | toYaml | indent 12 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
emptyDir: {}
|
||||
- name: bootstrap-sh
|
||||
{{- if $secretBin }}
|
||||
secret:
|
||||
secretName: {{ $secretBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- else }}
|
||||
configMap:
|
||||
name: {{ $configMapBin | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{- if $podVols }}
|
||||
{{ $podVols | toYaml | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
238
charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl
Normal file
238
charts/deps/helm-toolkit/templates/manifests/_network_policy.tpl
Normal file
@ -0,0 +1,238 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a network policy manifest for services.
|
||||
values: |
|
||||
endpoints:
|
||||
kube_dns:
|
||||
namespace: kube-system
|
||||
name: kubernetes-dns
|
||||
hosts:
|
||||
default: kube-dns
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
path:
|
||||
default: null
|
||||
scheme: http
|
||||
port:
|
||||
dns_tcp:
|
||||
default: 53
|
||||
dns:
|
||||
default: 53
|
||||
protocol: UDP
|
||||
network_policy:
|
||||
myLabel:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
component: api
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- to:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: default
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-public
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 53
|
||||
- protocol: UDP
|
||||
port: 53
|
||||
usage: |
|
||||
{{ dict "envAll" . "name" "application" "label" "myLabel" | include "helm-toolkit.manifests.kubernetes_network_policy" }}
|
||||
{{ dict "envAll" . "key" "myLabel" "labels" (dict "application" "myApp" "component" "myComp")}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: RELEASE-NAME
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: myLabel
|
||||
component: api
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
name: default
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-public
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 53
|
||||
- protocol: UDP
|
||||
port: 53
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: RELEASE-NAME
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
policyTypes:
|
||||
- Ingress
|
||||
- Egress
|
||||
podSelector:
|
||||
matchLabels:
|
||||
application: myApp
|
||||
component: myComp
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: keystone
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 80
|
||||
egress:
|
||||
- to:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
name: default
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: kube-public
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 53
|
||||
- protocol: UDP
|
||||
port: 53
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.kubernetes_network_policy" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $name := index . "name" -}}
|
||||
{{- $labels := index . "labels" | default nil -}}
|
||||
{{- $label := index . "key" | default (index . "label") -}}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: {{ $label | replace "_" "-" }}-netpol
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
spec:
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
policyTypes:
|
||||
{{- $is_egress := false -}}
|
||||
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
|
||||
{{- if has "Egress" (index $envAll.Values.network_policy $label "policyTypes") -}}
|
||||
{{- $is_egress = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if or $is_egress (index $envAll.Values.network_policy $label "egress") }}
|
||||
- Egress
|
||||
{{ end -}}
|
||||
{{- $is_ingress := false -}}
|
||||
{{- if hasKey (index $envAll.Values.network_policy $label) "policyTypes" -}}
|
||||
{{- if has "Ingress" (index $envAll.Values.network_policy $label "policyTypes") -}}
|
||||
{{- $is_ingress = true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if or $is_ingress (index $envAll.Values.network_policy $label "ingress") }}
|
||||
- Ingress
|
||||
{{ end -}}
|
||||
{{- end }}
|
||||
podSelector:
|
||||
matchLabels:
|
||||
{{- if empty $labels }}
|
||||
{{ $name }}: {{ $label }}
|
||||
{{- else }}
|
||||
{{ range $k, $v := $labels }}
|
||||
{{ $k }}: {{ $v }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if hasKey (index $envAll.Values.network_policy $label) "podSelector" }}
|
||||
{{- if index $envAll.Values.network_policy $label "podSelector" "matchLabels" }}
|
||||
{{ index $envAll.Values.network_policy $label "podSelector" "matchLabels" | toYaml | indent 6 }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
egress:
|
||||
{{- range $key, $value := $envAll.Values.endpoints }}
|
||||
{{- if kindIs "map" $value }}
|
||||
{{- if or (hasKey $value "namespace") (hasKey $value "hosts") }}
|
||||
- to:
|
||||
{{- if index $value "namespace" }}
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
name: {{ index $value "namespace" }}
|
||||
{{- else if index $value "hosts" }}
|
||||
{{- $defaultValue := index $value "hosts" "internal" }}
|
||||
{{- if hasKey (index $value "hosts") "internal" }}
|
||||
{{- $a := split "-" $defaultValue }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
|
||||
{{- else }}
|
||||
{{- $defaultValue := index $value "hosts" "default" }}
|
||||
{{- $a := split "-" $defaultValue }}
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
application: {{ printf "%s" (index $a._0) | default $defaultValue }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if index $value "port" }}
|
||||
ports:
|
||||
{{- range $k, $v := index $value "port" }}
|
||||
{{- if $k }}
|
||||
{{- range $pk, $pv := $v }}
|
||||
{{- if and $pv (ne $pk "protocol") }}
|
||||
- port: {{ $pv }}
|
||||
protocol: {{ $v.protocol | default "TCP" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if index $envAll.Values.network_policy $label "egress" }}
|
||||
{{ index $envAll.Values.network_policy $label "egress" | toYaml | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if hasKey (index $envAll.Values "network_policy") $label }}
|
||||
{{- if index $envAll.Values.network_policy $label "ingress" }}
|
||||
ingress:
|
||||
{{ index $envAll.Values.network_policy $label "ingress" | toYaml | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,93 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a manifest for a authenticating a registry with a secret
|
||||
examples:
|
||||
- values: |
|
||||
secrets:
|
||||
oci_image_registry:
|
||||
{{ $serviceName }}: {{ $keyName }}
|
||||
endpoints:
|
||||
oci_image_registry:
|
||||
name: oci-image-registry
|
||||
auth:
|
||||
enabled: true
|
||||
{{ $serviceName }}:
|
||||
name: {{ $userName }}
|
||||
password: {{ $password }}
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
data:
|
||||
dockerconfigjson: {{ $dockerAuth }}
|
||||
|
||||
- values: |
|
||||
secrets:
|
||||
oci_image_registry:
|
||||
{{ $serviceName }}: {{ $keyName }}
|
||||
endpoints:
|
||||
oci_image_registry:
|
||||
name: oci-image-registry
|
||||
auth:
|
||||
enabled: true
|
||||
{{ $serviceName }}:
|
||||
name: {{ $userName }}
|
||||
password: {{ $password }}
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.secret_registry" ( dict "envAll" . "registryUser" .Chart.Name ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
data:
|
||||
dockerconfigjson: {{ $dockerAuth }}
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.secret_registry" }}
|
||||
{{- $envAll := index . "envAll" }}
|
||||
{{- $registryUser := index . "registryUser" }}
|
||||
{{- $secretName := index $envAll.Values.secrets.oci_image_registry $registryUser }}
|
||||
{{- $registryHost := tuple "oci_image_registry" "internal" $envAll | include "helm-toolkit.endpoints.endpoint_host_lookup" }}
|
||||
{{/*
|
||||
We only use "host:port" when port is non-null, else just use "host"
|
||||
*/}}
|
||||
{{- $registryPort := "" }}
|
||||
{{- $port := $envAll.Values.endpoints.oci_image_registry.port.registry.default }}
|
||||
{{- if $port }}
|
||||
{{- $port = tuple "oci_image_registry" "internal" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
|
||||
{{- $registryPort = printf ":%s" $port }}
|
||||
{{- end }}
|
||||
{{- $imageCredentials := index $envAll.Values.endpoints.oci_image_registry.auth $registryUser }}
|
||||
{{- $dockerAuthToken := printf "%s:%s" $imageCredentials.username $imageCredentials.password | b64enc }}
|
||||
{{- $dockerAuth := printf "{\"auths\": {\"%s%s\": {\"auth\": \"%s\"}}}" $registryHost $registryPort $dockerAuthToken | b64enc }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
data:
|
||||
.dockerconfigjson: {{ $dockerAuth }}
|
||||
{{- end -}}
|
@ -0,0 +1,108 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a manifest for a services public tls secret
|
||||
examples:
|
||||
- values: |
|
||||
secrets:
|
||||
tls:
|
||||
key_manager:
|
||||
api:
|
||||
public: barbican-tls-public
|
||||
endpoints:
|
||||
key_manager:
|
||||
host_fqdn_override:
|
||||
public:
|
||||
tls:
|
||||
crt: |
|
||||
FOO-CRT
|
||||
key: |
|
||||
FOO-KEY
|
||||
ca: |
|
||||
FOO-CA_CRT
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: barbican-tls-public
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.key: Rk9PLUtFWQo=
|
||||
tls.crt: Rk9PLUNSVAoKRk9PLUNBX0NSVAo=
|
||||
|
||||
- values: |
|
||||
secrets:
|
||||
tls:
|
||||
key_manager:
|
||||
api:
|
||||
public: barbican-tls-public
|
||||
endpoints:
|
||||
key_manager:
|
||||
host_fqdn_override:
|
||||
public:
|
||||
tls:
|
||||
crt: |
|
||||
FOO-CRT
|
||||
FOO-INTERMEDIATE_CRT
|
||||
FOO-CA_CRT
|
||||
key: |
|
||||
FOO-KEY
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key-manager" ) -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: barbican-tls-public
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.key: Rk9PLUtFWQo=
|
||||
tls.crt: Rk9PLUNSVApGT08tSU5URVJNRURJQVRFX0NSVApGT08tQ0FfQ1JUCg==
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.secret_ingress_tls" }}
|
||||
{{- $envAll := index . "envAll" }}
|
||||
{{- $endpoint := index . "endpoint" | default "public" }}
|
||||
{{- $backendServiceType := index . "backendServiceType" }}
|
||||
{{- $backendService := index . "backendService" | default "api" }}
|
||||
{{- $host := index $envAll.Values.endpoints ( $backendServiceType | replace "-" "_" ) "host_fqdn_override" }}
|
||||
{{- if hasKey $host $endpoint }}
|
||||
{{- $endpointHost := index $host $endpoint }}
|
||||
{{- if kindIs "map" $endpointHost }}
|
||||
{{- if hasKey $endpointHost "tls" }}
|
||||
{{- if and $endpointHost.tls.key $endpointHost.tls.crt }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ index $envAll.Values.secrets.tls ( $backendServiceType | replace "-" "_" ) $backendService $endpoint }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.key: {{ $endpointHost.tls.key | b64enc }}
|
||||
{{- if $endpointHost.tls.ca }}
|
||||
tls.crt: {{ list $endpointHost.tls.crt $endpointHost.tls.ca | join "\n" | b64enc }}
|
||||
{{- else }}
|
||||
tls.crt: {{ $endpointHost.tls.crt | b64enc }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,43 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# This function creates a manifest for a services ingress rules.
|
||||
# It can be used in charts dict created similar to the following:
|
||||
# {- $serviceIngressOpts := dict "envAll" . "backendServiceType" "key-manager" -}
|
||||
# { $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }
|
||||
|
||||
{{- define "helm-toolkit.manifests.service_ingress" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $backendServiceType := index . "backendServiceType" -}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
- name: https
|
||||
port: 443
|
||||
selector:
|
||||
app: ingress-api
|
||||
{{- if index $envAll.Values.endpoints $backendServiceType }}
|
||||
{{- if index $envAll.Values.endpoints $backendServiceType "ip" }}
|
||||
{{- if index $envAll.Values.endpoints $backendServiceType "ip" "ingress" }}
|
||||
clusterIP: {{ (index $envAll.Values.endpoints $backendServiceType "ip" "ingress") }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,35 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- define "helm-toolkit.scripts.create_s3_bucket" }}
|
||||
#!/bin/bash
|
||||
set -e
|
||||
CONNECTION_ARGS="--host=$RGW_HOST --host-bucket=$RGW_HOST"
|
||||
if [ "$RGW_PROTO" = "http" ]; then
|
||||
CONNECTION_ARGS+=" --no-ssl"
|
||||
else
|
||||
CONNECTION_ARGS+=" --no-check-certificate"
|
||||
fi
|
||||
ADMIN_AUTH_ARGS=" --access_key=$S3_ADMIN_ACCESS_KEY --secret_key=$S3_ADMIN_SECRET_KEY"
|
||||
USER_AUTH_ARGS=" --access_key=$S3_ACCESS_KEY --secret_key=$S3_SECRET_KEY"
|
||||
function check_rgw_s3_bucket () {
|
||||
s3cmd $CONNECTION_ARGS $USER_AUTH_ARGS ls s3://$S3_BUCKET
|
||||
}
|
||||
function create_rgw_s3_bucket () {
|
||||
s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS mb s3://$S3_BUCKET
|
||||
}
|
||||
function modify_bucket_acl () {
|
||||
s3cmd $CONNECTION_ARGS $ADMIN_AUTH_ARGS setacl s3://$S3_BUCKET --acl-grant=read:$S3_USERNAME --acl-grant=write:$S3_USERNAME
|
||||
}
|
||||
check_rgw_s3_bucket || ( create_rgw_s3_bucket && modify_bucket_acl )
|
||||
{{- end }}
|
@ -0,0 +1,65 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- define "helm-toolkit.scripts.create_s3_user" }}
|
||||
#!/bin/bash
|
||||
set -e
|
||||
function create_s3_user () {
|
||||
echo "Creating s3 user and key pair"
|
||||
radosgw-admin user create \
|
||||
--uid=${S3_USERNAME} \
|
||||
--display-name=${S3_USERNAME} \
|
||||
--key-type=s3 \
|
||||
--access-key ${S3_ACCESS_KEY} \
|
||||
--secret-key ${S3_SECRET_KEY}
|
||||
}
|
||||
function update_s3_user () {
|
||||
# Retrieve old access keys, if they exist
|
||||
old_access_keys=$(radosgw-admin user info --uid=${S3_USERNAME} \
|
||||
| jq -r '.keys[].access_key' || true)
|
||||
|
||||
if [[ ! -z ${old_access_keys} ]]; then
|
||||
for access_key in $old_access_keys; do
|
||||
# If current access key is the same as the key supplied, do nothing.
|
||||
if [ "$access_key" == "${S3_ACCESS_KEY}" ]; then
|
||||
echo "Current user and key pair exists."
|
||||
continue
|
||||
else
|
||||
# If keys differ, remove previous key
|
||||
radosgw-admin key rm --uid=${S3_USERNAME} --key-type=s3 --access-key=$access_key
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Perform one more additional check to account for scenarios where multiple
|
||||
# key pairs existed previously, but one existing key was the supplied key
|
||||
current_access_key=$(radosgw-admin user info --uid=${S3_USERNAME} \
|
||||
| jq -r '.keys[].access_key' || true)
|
||||
|
||||
# If the supplied key does not exist, modify the user
|
||||
if [[ -z ${current_access_key} ]]; then
|
||||
# Modify user with new access and secret keys
|
||||
echo "Updating existing user's key pair"
|
||||
radosgw-admin user modify \
|
||||
--uid=${S3_USERNAME}\
|
||||
--access-key ${S3_ACCESS_KEY} \
|
||||
--secret-key ${S3_SECRET_KEY}
|
||||
fi
|
||||
}
|
||||
user_exists=$(radosgw-admin user info --uid=${S3_USERNAME} || true)
|
||||
if [[ -z ${user_exists} ]]; then
|
||||
create_s3_user
|
||||
else
|
||||
update_s3_user
|
||||
fi
|
||||
{{- end }}
|
142
charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl
Normal file
142
charts/deps/helm-toolkit/templates/scripts/_db-drop.py.tpl
Normal file
@ -0,0 +1,142 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.db_drop" }}
|
||||
#!/usr/bin/env python
|
||||
|
||||
# Drops db and user for an OpenStack Service:
|
||||
# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
|
||||
# SQLAlchemy strings for the root connection to the database and the one you
|
||||
# wish the service to use. Alternatively, you can use an ini formatted config
|
||||
# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
|
||||
# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
|
||||
# OPENSTACK_CONFIG_DB_SECTION.
|
||||
|
||||
import os
|
||||
import sys
|
||||
try:
|
||||
import ConfigParser
|
||||
PARSER_OPTS = {}
|
||||
except ImportError:
|
||||
import configparser as ConfigParser
|
||||
PARSER_OPTS = {"strict": False}
|
||||
import logging
|
||||
from sqlalchemy import create_engine
|
||||
|
||||
# Create logger, console handler and formatter
|
||||
logger = logging.getLogger('OpenStack-Helm DB Drop')
|
||||
logger.setLevel(logging.DEBUG)
|
||||
ch = logging.StreamHandler()
|
||||
ch.setLevel(logging.DEBUG)
|
||||
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
|
||||
|
||||
# Set the formatter and add the handler
|
||||
ch.setFormatter(formatter)
|
||||
logger.addHandler(ch)
|
||||
|
||||
|
||||
# Get the connection string for the service db root user
|
||||
if "ROOT_DB_CONNECTION" in os.environ:
|
||||
db_connection = os.environ['ROOT_DB_CONNECTION']
|
||||
logger.info('Got DB root connection')
|
||||
else:
|
||||
logger.critical('environment variable ROOT_DB_CONNECTION not set')
|
||||
sys.exit(1)
|
||||
|
||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||
ssl_args = {}
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||
'key': '/etc/mysql/certs/tls.key',
|
||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
|
||||
# Get the connection string for the service db
|
||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||
os_conf = os.environ['OPENSTACK_CONFIG_FILE']
|
||||
if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
|
||||
os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
|
||||
else:
|
||||
logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
|
||||
sys.exit(1)
|
||||
if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
|
||||
os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
|
||||
else:
|
||||
logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
|
||||
sys.exit(1)
|
||||
try:
|
||||
config = ConfigParser.RawConfigParser(**PARSER_OPTS)
|
||||
logger.info("Using {0} as db config source".format(os_conf))
|
||||
config.read(os_conf)
|
||||
logger.info("Trying to load db config from {0}:{1}".format(
|
||||
os_conf_section, os_conf_key))
|
||||
user_db_conn = config.get(os_conf_section, os_conf_key)
|
||||
logger.info("Got config from {0}".format(os_conf))
|
||||
except:
|
||||
logger.critical("Tried to load config from {0} but failed.".format(os_conf))
|
||||
raise
|
||||
elif "DB_CONNECTION" in os.environ:
|
||||
user_db_conn = os.environ['DB_CONNECTION']
|
||||
logger.info('Got config from DB_CONNECTION env var')
|
||||
else:
|
||||
logger.critical('Could not get db config, either from config file or env var')
|
||||
sys.exit(1)
|
||||
|
||||
# Root DB engine
|
||||
try:
|
||||
root_engine_full = create_engine(db_connection)
|
||||
root_user = root_engine_full.url.username
|
||||
root_password = root_engine_full.url.password
|
||||
drivername = root_engine_full.url.drivername
|
||||
host = root_engine_full.url.host
|
||||
port = root_engine_full.url.port
|
||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
connection = root_engine.connect()
|
||||
connection.close()
|
||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||
host, port, root_user))
|
||||
except:
|
||||
logger.critical('Could not connect to database as root user')
|
||||
raise
|
||||
|
||||
# User DB engine
|
||||
try:
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
# Get our user data out of the user_engine
|
||||
database = user_engine.url.database
|
||||
user = user_engine.url.username
|
||||
password = user_engine.url.password
|
||||
logger.info('Got user db config')
|
||||
except:
|
||||
logger.critical('Could not get user database config')
|
||||
raise
|
||||
|
||||
# Delete DB
|
||||
try:
|
||||
root_engine.execute("DROP DATABASE IF EXISTS {0}".format(database))
|
||||
logger.info("Deleted database {0}".format(database))
|
||||
except:
|
||||
logger.critical("Could not drop database {0}".format(database))
|
||||
raise
|
||||
|
||||
# Delete DB User
|
||||
try:
|
||||
root_engine.execute("DROP USER IF EXISTS {0}".format(user))
|
||||
logger.info("Deleted user {0}".format(user))
|
||||
except:
|
||||
logger.critical("Could not delete user {0}".format(user))
|
||||
raise
|
||||
|
||||
logger.info('Finished DB Management')
|
||||
{{- end }}
|
156
charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl
Normal file
156
charts/deps/helm-toolkit/templates/scripts/_db-init.py.tpl
Normal file
@ -0,0 +1,156 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.db_init" }}
|
||||
#!/usr/bin/env python
|
||||
|
||||
# Creates db and user for an OpenStack Service:
|
||||
# Set ROOT_DB_CONNECTION and DB_CONNECTION environment variables to contain
|
||||
# SQLAlchemy strings for the root connection to the database and the one you
|
||||
# wish the service to use. Alternatively, you can use an ini formatted config
|
||||
# at the location specified by OPENSTACK_CONFIG_FILE, and extract the string
|
||||
# from the key OPENSTACK_CONFIG_DB_KEY, in the section specified by
|
||||
# OPENSTACK_CONFIG_DB_SECTION.
|
||||
|
||||
import os
|
||||
import sys
|
||||
try:
|
||||
import ConfigParser
|
||||
PARSER_OPTS = {}
|
||||
except ImportError:
|
||||
import configparser as ConfigParser
|
||||
PARSER_OPTS = {"strict": False}
|
||||
import logging
|
||||
from sqlalchemy import create_engine
|
||||
|
||||
# Create logger, console handler and formatter
|
||||
logger = logging.getLogger('OpenStack-Helm DB Init')
|
||||
logger.setLevel(logging.DEBUG)
|
||||
ch = logging.StreamHandler()
|
||||
ch.setLevel(logging.DEBUG)
|
||||
formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
|
||||
|
||||
# Set the formatter and add the handler
|
||||
ch.setFormatter(formatter)
|
||||
logger.addHandler(ch)
|
||||
|
||||
|
||||
# Get the connection string for the service db root user
|
||||
if "ROOT_DB_CONNECTION" in os.environ:
|
||||
db_connection = os.environ['ROOT_DB_CONNECTION']
|
||||
logger.info('Got DB root connection')
|
||||
else:
|
||||
logger.critical('environment variable ROOT_DB_CONNECTION not set')
|
||||
sys.exit(1)
|
||||
|
||||
mysql_x509 = os.getenv('MARIADB_X509', "")
|
||||
ssl_args = {}
|
||||
if mysql_x509:
|
||||
ssl_args = {'ssl': {'ca': '/etc/mysql/certs/ca.crt',
|
||||
'key': '/etc/mysql/certs/tls.key',
|
||||
'cert': '/etc/mysql/certs/tls.crt'}}
|
||||
|
||||
# Get the connection string for the service db
|
||||
if "OPENSTACK_CONFIG_FILE" in os.environ:
|
||||
os_conf = os.environ['OPENSTACK_CONFIG_FILE']
|
||||
if "OPENSTACK_CONFIG_DB_SECTION" in os.environ:
|
||||
os_conf_section = os.environ['OPENSTACK_CONFIG_DB_SECTION']
|
||||
else:
|
||||
logger.critical('environment variable OPENSTACK_CONFIG_DB_SECTION not set')
|
||||
sys.exit(1)
|
||||
if "OPENSTACK_CONFIG_DB_KEY" in os.environ:
|
||||
os_conf_key = os.environ['OPENSTACK_CONFIG_DB_KEY']
|
||||
else:
|
||||
logger.critical('environment variable OPENSTACK_CONFIG_DB_KEY not set')
|
||||
sys.exit(1)
|
||||
try:
|
||||
config = ConfigParser.RawConfigParser(**PARSER_OPTS)
|
||||
logger.info("Using {0} as db config source".format(os_conf))
|
||||
config.read(os_conf)
|
||||
logger.info("Trying to load db config from {0}:{1}".format(
|
||||
os_conf_section, os_conf_key))
|
||||
user_db_conn = config.get(os_conf_section, os_conf_key)
|
||||
logger.info("Got config from {0}".format(os_conf))
|
||||
except:
|
||||
logger.critical("Tried to load config from {0} but failed.".format(os_conf))
|
||||
raise
|
||||
elif "DB_CONNECTION" in os.environ:
|
||||
user_db_conn = os.environ['DB_CONNECTION']
|
||||
logger.info('Got config from DB_CONNECTION env var')
|
||||
else:
|
||||
logger.critical('Could not get db config, either from config file or env var')
|
||||
sys.exit(1)
|
||||
|
||||
# Root DB engine
|
||||
try:
|
||||
root_engine_full = create_engine(db_connection)
|
||||
root_user = root_engine_full.url.username
|
||||
root_password = root_engine_full.url.password
|
||||
drivername = root_engine_full.url.drivername
|
||||
host = root_engine_full.url.host
|
||||
port = root_engine_full.url.port
|
||||
root_engine_url = ''.join([drivername, '://', root_user, ':', root_password, '@', host, ':', str (port)])
|
||||
root_engine = create_engine(root_engine_url, connect_args=ssl_args)
|
||||
connection = root_engine.connect()
|
||||
connection.close()
|
||||
logger.info("Tested connection to DB @ {0}:{1} as {2}".format(
|
||||
host, port, root_user))
|
||||
except:
|
||||
logger.critical('Could not connect to database as root user')
|
||||
raise
|
||||
|
||||
# User DB engine
|
||||
try:
|
||||
user_engine = create_engine(user_db_conn, connect_args=ssl_args)
|
||||
# Get our user data out of the user_engine
|
||||
database = user_engine.url.database
|
||||
user = user_engine.url.username
|
||||
password = user_engine.url.password
|
||||
logger.info('Got user db config')
|
||||
except:
|
||||
logger.critical('Could not get user database config')
|
||||
raise
|
||||
|
||||
# Create DB
|
||||
try:
|
||||
root_engine.execute("CREATE DATABASE IF NOT EXISTS {0}".format(database))
|
||||
logger.info("Created database {0}".format(database))
|
||||
except:
|
||||
logger.critical("Could not create database {0}".format(database))
|
||||
raise
|
||||
|
||||
# Create DB User
|
||||
try:
|
||||
root_engine.execute(
|
||||
"CREATE USER IF NOT EXISTS \'{0}\'@\'%%\' IDENTIFIED BY \'{1}\' {2}".format(
|
||||
user, password, mysql_x509))
|
||||
root_engine.execute(
|
||||
"GRANT ALL ON `{0}`.* TO \'{1}\'@\'%%\'".format(database, user))
|
||||
logger.info("Created user {0} for {1}".format(user, database))
|
||||
except:
|
||||
logger.critical("Could not create user {0} for {1}".format(user, database))
|
||||
raise
|
||||
|
||||
# Test connection
|
||||
try:
|
||||
connection = user_engine.connect()
|
||||
connection.close()
|
||||
logger.info("Tested connection to DB @ {0}:{1}/{2} as {3}".format(
|
||||
host, port, database, user))
|
||||
except:
|
||||
logger.critical('Could not connect to database as user')
|
||||
raise
|
||||
|
||||
logger.info('Finished DB Management')
|
||||
{{- end }}
|
@ -0,0 +1,69 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
{{- define "helm-toolkit.scripts.pg_db_init" }}
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
|
||||
if [[ ! -v DB_HOST ]]; then
|
||||
echo "environment variable DB_HOST not set"
|
||||
exit 1
|
||||
elif [[ ! -v DB_ADMIN_USER ]]; then
|
||||
echo "environment variable DB_ADMIN_USER not set"
|
||||
exit 1
|
||||
elif [[ ! -v PGPASSWORD ]]; then
|
||||
echo "environment variable PGPASSWORD not set"
|
||||
exit 1
|
||||
elif [[ ! -v DB_PORT ]]; then
|
||||
echo "environment variable DB_PORT not set"
|
||||
exit 1
|
||||
elif [[ ! -v USER_DB_USER ]]; then
|
||||
echo "environment variable USER_DB_USER not set"
|
||||
exit 1
|
||||
elif [[ ! -v USER_DB_PASS ]]; then
|
||||
echo "environment variable USER_DB_PASS not set"
|
||||
exit 1
|
||||
elif [[ ! -v USER_DB_NAME ]]; then
|
||||
echo "environment variable USER_DB_NAME not set"
|
||||
exit 1
|
||||
else
|
||||
echo "Got DB connection info"
|
||||
fi
|
||||
|
||||
pgsql_superuser_cmd () {
|
||||
DB_COMMAND="$1"
|
||||
if [[ ! -z $2 ]]; then
|
||||
EXPORT PGDATABASE=$2
|
||||
fi
|
||||
/usr/bin/psql \
|
||||
-h ${DB_HOST} \
|
||||
-p ${DB_PORT} \
|
||||
-U ${DB_ADMIN_USER} \
|
||||
--command="${DB_COMMAND}"
|
||||
}
|
||||
|
||||
#create db
|
||||
pgsql_superuser_cmd "SELECT 1 FROM pg_database WHERE datname = '$USER_DB_NAME'" | grep -q "(1 row)" || pgsql_superuser_cmd "CREATE DATABASE $USER_DB_NAME"
|
||||
|
||||
#create db user
|
||||
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" | grep -q "(1 row)" || \
|
||||
pgsql_superuser_cmd "CREATE ROLE ${USER_DB_USER} LOGIN PASSWORD '$USER_DB_PASS';"
|
||||
|
||||
#Set password everytime. This is required for cases when we would want password rotation to take effect and set the updated password for a user.
|
||||
pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" && pgsql_superuser_cmd "ALTER USER ${USER_DB_USER} with password '$USER_DB_PASS'"
|
||||
|
||||
#give permissions to user
|
||||
pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
|
||||
|
||||
#revoke all privileges from PUBLIC role
|
||||
pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
|
||||
{{- end }}
|
@ -0,0 +1,24 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.image_repo_sync" }}
|
||||
#!/bin/sh
|
||||
set -ex
|
||||
|
||||
IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
|
||||
docker pull ${IMAGE}
|
||||
docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
|
||||
docker push ${LOCAL_REPO}/${IMAGE}
|
||||
done
|
||||
{{- end }}
|
@ -0,0 +1,72 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.keystone_domain_user" }}
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 Pete Birley
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -ex
|
||||
|
||||
# Manage domain
|
||||
SERVICE_OS_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
|
||||
--description="Service Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
|
||||
"${SERVICE_OS_DOMAIN_NAME}")
|
||||
|
||||
# Display domain
|
||||
openstack domain show "${SERVICE_OS_DOMAIN_ID}"
|
||||
|
||||
# Manage user
|
||||
SERVICE_OS_USERID=$(openstack user create --or-show --enable -f value -c id \
|
||||
--domain="${SERVICE_OS_DOMAIN_ID}" \
|
||||
--description "Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_DOMAIN_NAME}" \
|
||||
--password="${SERVICE_OS_PASSWORD}" \
|
||||
"${SERVICE_OS_USERNAME}")
|
||||
|
||||
# Manage user password (we do this to ensure the password is updated if required)
|
||||
openstack user set --password="${SERVICE_OS_PASSWORD}" "${SERVICE_OS_USERID}"
|
||||
|
||||
# Display user
|
||||
openstack user show "${SERVICE_OS_USERID}"
|
||||
|
||||
# Manage role
|
||||
SERVICE_OS_ROLE_ID=$(openstack role show -f value -c id \
|
||||
"${SERVICE_OS_ROLE}" || openstack role create -f value -c id \
|
||||
"${SERVICE_OS_ROLE}" )
|
||||
|
||||
# Manage user role assignment
|
||||
openstack role add \
|
||||
--domain="${SERVICE_OS_DOMAIN_ID}" \
|
||||
--user="${SERVICE_OS_USERID}" \
|
||||
--user-domain="${SERVICE_OS_DOMAIN_ID}" \
|
||||
"${SERVICE_OS_ROLE_ID}"
|
||||
|
||||
# Display user role assignment
|
||||
openstack role assignment list \
|
||||
--role="${SERVICE_OS_ROLE_ID}" \
|
||||
--user-domain="${SERVICE_OS_DOMAIN_ID}" \
|
||||
--user="${SERVICE_OS_USERID}"
|
||||
{{- end }}
|
79
charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
Executable file
79
charts/deps/helm-toolkit/templates/scripts/_ks-endpoints.sh.tpl
Executable file
@ -0,0 +1,79 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.keystone_endpoints" }}
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 Pete Birley
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -ex
|
||||
|
||||
# Get Service ID
|
||||
OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
|
||||
grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
|
||||
sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
|
||||
|
||||
# Get Endpoint ID if it exists
|
||||
OS_ENDPOINT_ID=$( openstack endpoint list -f csv --quote none | \
|
||||
grep "^[a-z0-9]*,${OS_REGION_NAME},${OS_SERVICE_NAME},${OS_SERVICE_TYPE},True,${OS_SVC_ENDPOINT}," | \
|
||||
awk -F ',' '{ print $1 }' )
|
||||
|
||||
# Making sure only a single endpoint exists for a service within a region
|
||||
if [ "$(echo $OS_ENDPOINT_ID | wc -w)" -gt "1" ]; then
|
||||
echo "More than one endpoint found, cleaning up"
|
||||
for ENDPOINT_ID in $OS_ENDPOINT_ID; do
|
||||
openstack endpoint delete ${ENDPOINT_ID}
|
||||
done
|
||||
unset OS_ENDPOINT_ID
|
||||
fi
|
||||
|
||||
# Determine if Endpoint needs updated
|
||||
if [[ ${OS_ENDPOINT_ID} ]]; then
|
||||
OS_ENDPOINT_URL_CURRENT=$(openstack endpoint show ${OS_ENDPOINT_ID} -f value -c url)
|
||||
if [ "${OS_ENDPOINT_URL_CURRENT}" == "${OS_SERVICE_ENDPOINT}" ]; then
|
||||
echo "Endpoints Match: no action required"
|
||||
OS_ENDPOINT_UPDATE="False"
|
||||
else
|
||||
echo "Endpoints Dont Match: removing existing entries"
|
||||
openstack endpoint delete ${OS_ENDPOINT_ID}
|
||||
OS_ENDPOINT_UPDATE="True"
|
||||
fi
|
||||
else
|
||||
OS_ENDPOINT_UPDATE="True"
|
||||
fi
|
||||
|
||||
# Update Endpoint if required
|
||||
if [[ "${OS_ENDPOINT_UPDATE}" == "True" ]]; then
|
||||
OS_ENDPOINT_ID=$( openstack endpoint create -f value -c id \
|
||||
--region="${OS_REGION_NAME}" \
|
||||
"${OS_SERVICE_ID}" \
|
||||
${OS_SVC_ENDPOINT} \
|
||||
"${OS_SERVICE_ENDPOINT}" )
|
||||
fi
|
||||
|
||||
# Display the Endpoint
|
||||
openstack endpoint show ${OS_ENDPOINT_ID}
|
||||
{{- end }}
|
@ -0,0 +1,76 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.keystone_service" }}
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 Pete Birley
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -ex
|
||||
|
||||
# Service boilerplate description
|
||||
OS_SERVICE_DESC="${OS_REGION_NAME}: ${OS_SERVICE_NAME} (${OS_SERVICE_TYPE}) service"
|
||||
|
||||
# Get Service ID if it exists
|
||||
unset OS_SERVICE_ID
|
||||
|
||||
# FIXME - There seems to be an issue once in a while where the
|
||||
# openstack service list fails and encounters an error message such as:
|
||||
# Unable to establish connection to
|
||||
# https://keystone-api.openstack.svc.cluster.local:5000/v3/auth/tokens:
|
||||
# ('Connection aborted.', OSError("(104, 'ECONNRESET')",))
|
||||
# During an upgrade scenario, this would cause the OS_SERVICE_ID to be blank
|
||||
# and it would attempt to create a new service when it was not needed.
|
||||
# This duplciate service would sometimes be used by other services such as
|
||||
# Horizon and would give an 'Invalid Service Catalog' error.
|
||||
# This loop allows for a 'retry' of the openstack service list in an
|
||||
# attempt to get the service list as expected if it does ecounter an error.
|
||||
# This loop and recheck can be reverted once the underlying issue is addressed.
|
||||
|
||||
# If OS_SERVICE_ID is blank then wait a few seconds to give it
|
||||
# additional time and try again
|
||||
for i in $(seq 3)
|
||||
do
|
||||
OS_SERVICE_ID=$( openstack service list -f csv --quote none | \
|
||||
grep ",${OS_SERVICE_NAME},${OS_SERVICE_TYPE}$" | \
|
||||
sed -e "s/,${OS_SERVICE_NAME},${OS_SERVICE_TYPE}//g" )
|
||||
|
||||
# If the service was found, go ahead and exit successfully.
|
||||
if [[ -n "${OS_SERVICE_ID}" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
sleep 2
|
||||
done
|
||||
|
||||
# If we've reached this point and a Service ID was not found,
|
||||
# then create the service
|
||||
OS_SERVICE_ID=$(openstack service create -f value -c id \
|
||||
--name="${OS_SERVICE_NAME}" \
|
||||
--description "${OS_SERVICE_DESC}" \
|
||||
--enable \
|
||||
"${OS_SERVICE_TYPE}")
|
||||
{{- end }}
|
108
charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl
Normal file
108
charts/deps/helm-toolkit/templates/scripts/_ks-user.sh.tpl
Normal file
@ -0,0 +1,108 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.keystone_user" }}
|
||||
#!/bin/bash
|
||||
|
||||
# Copyright 2017 Pete Birley
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -ex
|
||||
|
||||
shopt -s nocasematch
|
||||
|
||||
if [[ "${SERVICE_OS_PROJECT_DOMAIN_NAME}" == "Default" ]]
|
||||
then
|
||||
PROJECT_DOMAIN_ID="default"
|
||||
else
|
||||
# Manage project domain
|
||||
PROJECT_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
|
||||
--description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}" \
|
||||
"${SERVICE_OS_PROJECT_DOMAIN_NAME}")
|
||||
fi
|
||||
|
||||
if [[ "${SERVICE_OS_USER_DOMAIN_NAME}" == "Default" ]]
|
||||
then
|
||||
USER_DOMAIN_ID="default"
|
||||
else
|
||||
# Manage user domain
|
||||
USER_DOMAIN_ID=$(openstack domain create --or-show --enable -f value -c id \
|
||||
--description="Domain for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}" \
|
||||
"${SERVICE_OS_USER_DOMAIN_NAME}")
|
||||
fi
|
||||
|
||||
shopt -u nocasematch
|
||||
|
||||
# Manage user project
|
||||
USER_PROJECT_DESC="Service Project for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_PROJECT_DOMAIN_NAME}"
|
||||
USER_PROJECT_ID=$(openstack project create --or-show --enable -f value -c id \
|
||||
--domain="${PROJECT_DOMAIN_ID}" \
|
||||
--description="${USER_PROJECT_DESC}" \
|
||||
"${SERVICE_OS_PROJECT_NAME}");
|
||||
|
||||
# Manage user
|
||||
USER_DESC="Service User for ${SERVICE_OS_REGION_NAME}/${SERVICE_OS_USER_DOMAIN_NAME}/${SERVICE_OS_SERVICE_NAME}"
|
||||
USER_ID=$(openstack user create --or-show --enable -f value -c id \
|
||||
--domain="${USER_DOMAIN_ID}" \
|
||||
--project-domain="${PROJECT_DOMAIN_ID}" \
|
||||
--project="${USER_PROJECT_ID}" \
|
||||
--description="${USER_DESC}" \
|
||||
"${SERVICE_OS_USERNAME}");
|
||||
|
||||
# Manage user password (we do this in a seperate step to ensure the password is updated if required)
|
||||
set +x
|
||||
echo "Setting user password via: openstack user set --password=xxxxxxx ${USER_ID}"
|
||||
openstack user set --password="${SERVICE_OS_PASSWORD}" "${USER_ID}"
|
||||
set -x
|
||||
|
||||
function ks_assign_user_role () {
|
||||
if [[ "$SERVICE_OS_ROLE" == "admin" ]]
|
||||
then
|
||||
USER_ROLE_ID="$SERVICE_OS_ROLE"
|
||||
else
|
||||
USER_ROLE_ID=$(openstack role create --or-show -f value -c id "${SERVICE_OS_ROLE}");
|
||||
fi
|
||||
|
||||
# Manage user role assignment
|
||||
openstack role add \
|
||||
--user="${USER_ID}" \
|
||||
--user-domain="${USER_DOMAIN_ID}" \
|
||||
--project-domain="${PROJECT_DOMAIN_ID}" \
|
||||
--project="${USER_PROJECT_ID}" \
|
||||
"${USER_ROLE_ID}"
|
||||
}
|
||||
|
||||
# Manage user service role
|
||||
IFS=','
|
||||
for SERVICE_OS_ROLE in ${SERVICE_OS_ROLES}; do
|
||||
ks_assign_user_role
|
||||
done
|
||||
|
||||
# Manage user member role
|
||||
: ${MEMBER_OS_ROLE:="member"}
|
||||
export USER_ROLE_ID=$(openstack role create --or-show -f value -c id \
|
||||
"${MEMBER_OS_ROLE}");
|
||||
ks_assign_user_role
|
||||
{{- end }}
|
111
charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
Normal file
111
charts/deps/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
Normal file
@ -0,0 +1,111 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.rabbit_init" }}
|
||||
#!/bin/bash
|
||||
set -e
|
||||
# Extract connection details
|
||||
RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $2}' | \
|
||||
awk -F'[:/]' '{print $1}')
|
||||
RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $2}' | \
|
||||
awk -F'[:/]' '{print $2}')
|
||||
|
||||
# Extract Admin User creadential
|
||||
RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $1}' | \
|
||||
awk -F'[//:]' '{print $4}')
|
||||
RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $1}' | \
|
||||
awk -F'[//:]' '{print $5}')
|
||||
|
||||
# Extract User creadential
|
||||
RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $1}' | \
|
||||
awk -F'[//:]' '{print $4}')
|
||||
RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $1}' | \
|
||||
awk -F'[//:]' '{print $5}')
|
||||
|
||||
# Extract User vHost
|
||||
RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
|
||||
awk -F'[@]' '{print $2}' | \
|
||||
awk -F'[:/]' '{print $3}')
|
||||
# Resolve vHost to / if no value is set
|
||||
RABBITMQ_VHOST="${RABBITMQ_VHOST:-/}"
|
||||
|
||||
function rabbitmqadmin_cli () {
|
||||
if [ -n "$RABBITMQ_X509" ]
|
||||
then
|
||||
rabbitmqadmin \
|
||||
--ssl \
|
||||
--ssl-disable-hostname-verification \
|
||||
--ssl-ca-cert-file="${USER_CERT_PATH}/ca.crt" \
|
||||
--ssl-cert-file="${USER_CERT_PATH}/tls.crt" \
|
||||
--ssl-key-file="${USER_CERT_PATH}/tls.key" \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
else
|
||||
rabbitmqadmin \
|
||||
--host="${RABBIT_HOSTNAME}" \
|
||||
--port="${RABBIT_PORT}" \
|
||||
--username="${RABBITMQ_ADMIN_USERNAME}" \
|
||||
--password="${RABBITMQ_ADMIN_PASSWORD}" \
|
||||
${@}
|
||||
fi
|
||||
}
|
||||
|
||||
echo "Managing: User: ${RABBITMQ_USERNAME}"
|
||||
rabbitmqadmin_cli \
|
||||
declare user \
|
||||
name="${RABBITMQ_USERNAME}" \
|
||||
password="${RABBITMQ_PASSWORD}" \
|
||||
tags="user"
|
||||
|
||||
echo "Deleting Guest User"
|
||||
rabbitmqadmin_cli \
|
||||
delete user \
|
||||
name="guest" || true
|
||||
|
||||
if [ "${RABBITMQ_VHOST}" != "/" ]
|
||||
then
|
||||
echo "Managing: vHost: ${RABBITMQ_VHOST}"
|
||||
rabbitmqadmin_cli \
|
||||
declare vhost \
|
||||
name="${RABBITMQ_VHOST}"
|
||||
else
|
||||
echo "Skipping root vHost declaration: vHost: ${RABBITMQ_VHOST}"
|
||||
fi
|
||||
|
||||
echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
|
||||
rabbitmqadmin_cli \
|
||||
declare permission \
|
||||
vhost="${RABBITMQ_VHOST}" \
|
||||
user="${RABBITMQ_USERNAME}" \
|
||||
configure=".*" \
|
||||
write=".*" \
|
||||
read=".*"
|
||||
|
||||
if [ ! -z "$RABBITMQ_AUXILIARY_CONFIGURATION" ]
|
||||
then
|
||||
echo "Applying additional configuration"
|
||||
echo "${RABBITMQ_AUXILIARY_CONFIGURATION}" > /tmp/rmq_definitions.json
|
||||
rabbitmqadmin_cli import /tmp/rmq_definitions.json
|
||||
fi
|
||||
|
||||
{{- end }}
|
@ -0,0 +1,88 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.scripts.rally_test" -}}
|
||||
#!/bin/bash
|
||||
set -ex
|
||||
{{- $rallyTests := index . 0 }}
|
||||
|
||||
: "${RALLY_ENV_NAME:="openstack-helm"}"
|
||||
: "${OS_INTERFACE:="public"}"
|
||||
: "${RALLY_CLEANUP:="true"}"
|
||||
|
||||
if [ "x$RALLY_CLEANUP" == "xtrue" ]; then
|
||||
function rally_cleanup {
|
||||
openstack user delete \
|
||||
--domain="${SERVICE_OS_USER_DOMAIN_NAME}" \
|
||||
"${SERVICE_OS_USERNAME}"
|
||||
{{ $rallyTests.clean_up | default "" | indent 4 }}
|
||||
}
|
||||
trap rally_cleanup EXIT
|
||||
fi
|
||||
|
||||
function create_or_update_db () {
|
||||
revisionResults=$(rally db revision)
|
||||
if [ $revisionResults = "None" ]
|
||||
then
|
||||
rally db create
|
||||
else
|
||||
rally db upgrade
|
||||
fi
|
||||
}
|
||||
|
||||
create_or_update_db
|
||||
|
||||
cat > /tmp/rally-config.json << EOF
|
||||
{
|
||||
"openstack": {
|
||||
"auth_url": "${OS_AUTH_URL}",
|
||||
"region_name": "${OS_REGION_NAME}",
|
||||
"endpoint_type": "${OS_INTERFACE}",
|
||||
"admin": {
|
||||
"username": "${OS_USERNAME}",
|
||||
"password": "${OS_PASSWORD}",
|
||||
"user_domain_name": "${OS_USER_DOMAIN_NAME}",
|
||||
"project_name": "${OS_PROJECT_NAME}",
|
||||
"project_domain_name": "${OS_PROJECT_DOMAIN_NAME}"
|
||||
},
|
||||
"users": [
|
||||
{
|
||||
"username": "${SERVICE_OS_USERNAME}",
|
||||
"password": "${SERVICE_OS_PASSWORD}",
|
||||
"project_name": "${SERVICE_OS_PROJECT_NAME}",
|
||||
"user_domain_name": "${SERVICE_OS_USER_DOMAIN_NAME}",
|
||||
"project_domain_name": "${SERVICE_OS_PROJECT_DOMAIN_NAME}"
|
||||
}
|
||||
],
|
||||
"https_insecure": false,
|
||||
"https_cacert": "${OS_CACERT}"
|
||||
}
|
||||
}
|
||||
EOF
|
||||
rally deployment create --file /tmp/rally-config.json --name "${RALLY_ENV_NAME}"
|
||||
rm -f /tmp/rally-config.json
|
||||
rally deployment use "${RALLY_ENV_NAME}"
|
||||
rally deployment check
|
||||
{{- if $rallyTests.run_tempest }}
|
||||
rally verify create-verifier --name "${RALLY_ENV_NAME}-tempest" --type tempest
|
||||
SERVICE_TYPE="$(rally deployment check | grep "${RALLY_ENV_NAME}" | awk -F \| '{print $3}' | tr -d ' ' | tr -d '\n')"
|
||||
rally verify start --pattern "tempest.api.${SERVICE_TYPE}*"
|
||||
rally verify delete-verifier --id "${RALLY_ENV_NAME}-tempest" --force
|
||||
{{- end }}
|
||||
rally task validate /etc/rally/rally_tests.yaml
|
||||
rally task start /etc/rally/rally_tests.yaml
|
||||
rally task sla-check
|
||||
rally env cleanup
|
||||
rally deployment destroy --deployment "${RALLY_ENV_NAME}"
|
||||
{{- end }}
|
567
charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
Executable file
567
charts/deps/helm-toolkit/templates/scripts/db-backup-restore/_backup_main.sh.tpl
Executable file
@ -0,0 +1,567 @@
|
||||
{{- define "helm-toolkit.scripts.db-backup-restore.backup_main" }}
|
||||
#!/bin/bash
|
||||
|
||||
# This file contains a database backup framework which database scripts
|
||||
# can use to perform a backup. The idea here is that the database-specific
|
||||
# functions will be implemented by the various databases using this script
|
||||
# (like mariadb, postgresql or etcd for example). The database-specific
|
||||
# script will need to first "source" this file like this:
|
||||
# source /tmp/backup_main.sh
|
||||
#
|
||||
# Then the script should call the main backup function (backup_databases):
|
||||
# backup_databases [scope]
|
||||
# [scope] is an optional parameter, defaulted to "all". If only one specific
|
||||
# database is required to be backed up then this parameter will
|
||||
# contain the name of the database; otherwise all are backed up.
|
||||
#
|
||||
# The framework will require the following variables to be exported:
|
||||
#
|
||||
# export DB_NAMESPACE Namespace where the database(s) reside
|
||||
# export DB_NAME Name of the database system
|
||||
# export LOCAL_DAYS_TO_KEEP Number of days to keep the local backups
|
||||
# export REMOTE_DAYS_TO_KEEP Number of days to keep the remote backups
|
||||
# export ARCHIVE_DIR Local location where the backup tarballs should
|
||||
# be stored. (full directory path)
|
||||
# export BACK_UP_MODE Determines the mode of backup taken.
|
||||
# export REMOTE_BACKUP_ENABLED "true" if remote backup enabled; false
|
||||
# otherwise
|
||||
# export CONTAINER_NAME Name of the container on the RGW to store
|
||||
# the backup tarball.
|
||||
# export STORAGE_POLICY Name of the storage policy defined on the
|
||||
# RGW which is intended to store backups.
|
||||
# RGW access variables:
|
||||
# export OS_REGION_NAME Name of the region the RGW resides in
|
||||
# export OS_AUTH_URL Keystone URL associated with the RGW
|
||||
# export OS_PROJECT_NAME Name of the project associated with the
|
||||
# keystone user
|
||||
# export OS_USERNAME Name of the keystone user
|
||||
# export OS_PASSWORD Password of the keystone user
|
||||
# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
|
||||
# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
|
||||
# export OS_IDENTITY_API_VERSION Keystone API version to use
|
||||
#
|
||||
# export REMOTE_BACKUP_RETRIES Number of retries to send backup to remote
|
||||
# in case of any temporary failures.
|
||||
# export MIN_DELAY_SEND_REMOTE Minimum seconds to delay before sending backup
|
||||
# to remote to stagger backups being sent to RGW
|
||||
# export MAX_DELAY_SEND_REMOTE Maximum seconds to delay before sending backup
|
||||
# to remote to stagger backups being sent to RGW.
|
||||
# A random number between min and max delay is generated
|
||||
# to set the delay.
|
||||
#
|
||||
# The database-specific functions that need to be implemented are:
|
||||
# dump_databases_to_directory <directory> <err_logfile> [scope]
|
||||
# where:
|
||||
# <directory> is the full directory path to dump the database files
|
||||
# into. This is a temporary directory for this backup only.
|
||||
# <err_logfile> is the full directory path where error logs are to be
|
||||
# written by the application.
|
||||
# [scope] set to "all" if all databases are to be backed up; or
|
||||
# set to the name of a specific database to be backed up.
|
||||
# This optional parameter is defaulted to "all".
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to dump the database file(s) to the specified
|
||||
# directory path. If this function completes successfully (returns 0), the
|
||||
# framework will automatically tar/zip the files in that directory and
|
||||
# name the tarball appropriately according to the proper conventions.
|
||||
#
|
||||
# verify_databases_backup_archives [scope]
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to verify the database backup archives. If this function
|
||||
# completes successfully (returns 0), the
|
||||
# framework will automatically starts remote backup upload.
|
||||
#
|
||||
#
|
||||
# The functions in this file will take care of:
|
||||
# 1) Calling "dump_databases_to_directory" and then compressing the files,
|
||||
# naming the tarball properly, and then storing it locally at the specified
|
||||
# local directory.
|
||||
# 2) Sending the tarball built to the remote gateway, to be stored in the
|
||||
# container configured to store database backups.
|
||||
# 3) Removing local backup tarballs which are older than the number of days
|
||||
# specified by the "LOCAL_DAYS_TO_KEEP" variable.
|
||||
# 4) Removing remote backup tarballs (from the remote gateway) which are older
|
||||
# than the number of days specified by the "REMOTE_DAYS_TO_KEEP" variable.
|
||||
#
|
||||
|
||||
# Note: not using set -e in this script because more elaborate error handling
|
||||
# is needed.
|
||||
|
||||
log_backup_error_exit() {
|
||||
MSG=$1
|
||||
ERRCODE=${2:-0}
|
||||
log ERROR "${DB_NAME}_backup" "${DB_NAMESPACE} namespace: ${MSG}"
|
||||
rm -f $ERR_LOG_FILE
|
||||
rm -rf $TMP_DIR
|
||||
exit $ERRCODE
|
||||
}
|
||||
|
||||
log_verify_backup_exit() {
|
||||
MSG=$1
|
||||
ERRCODE=${2:-0}
|
||||
log ERROR "${DB_NAME}_verify_backup" "${DB_NAMESPACE} namespace: ${MSG}"
|
||||
rm -f $ERR_LOG_FILE
|
||||
# rm -rf $TMP_DIR
|
||||
exit $ERRCODE
|
||||
}
|
||||
|
||||
|
||||
log() {
|
||||
#Log message to a file or stdout
|
||||
#TODO: This can be convert into mail alert of alert send to a monitoring system
|
||||
#Params: $1 log level
|
||||
#Params: $2 service
|
||||
#Params: $3 message
|
||||
#Params: $4 Destination
|
||||
LEVEL=$1
|
||||
SERVICE=$2
|
||||
MSG=$3
|
||||
DEST=$4
|
||||
DATE=$(date +"%m-%d-%y %H:%M:%S")
|
||||
if [[ -z "$DEST" ]]; then
|
||||
echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}"
|
||||
else
|
||||
echo "${DATE} ${LEVEL}: $(hostname) ${SERVICE}: ${MSG}" >>$DEST
|
||||
fi
|
||||
}
|
||||
|
||||
# Generate a random number between MIN_DELAY_SEND_REMOTE and
|
||||
# MAX_DELAY_SEND_REMOTE
|
||||
random_number() {
|
||||
diff=$((${MAX_DELAY_SEND_REMOTE} - ${MIN_DELAY_SEND_REMOTE} + 1))
|
||||
echo $(($(( ${RANDOM} % ${diff} )) + ${MIN_DELAY_SEND_REMOTE} ))
|
||||
}
|
||||
|
||||
#Get the day delta since the archive file backup
|
||||
seconds_difference() {
|
||||
ARCHIVE_DATE=$( date --date="$1" +%s )
|
||||
if [[ $? -ne 0 ]]; then
|
||||
SECOND_DELTA=0
|
||||
fi
|
||||
CURRENT_DATE=$( date +%s )
|
||||
SECOND_DELTA=$(($CURRENT_DATE-$ARCHIVE_DATE))
|
||||
if [[ "$SECOND_DELTA" -lt 0 ]]; then
|
||||
SECOND_DELTA=0
|
||||
fi
|
||||
echo $SECOND_DELTA
|
||||
}
|
||||
|
||||
# Send the specified tarball file at the specified filepath to the
|
||||
# remote gateway.
|
||||
send_to_remote_server() {
|
||||
FILEPATH=$1
|
||||
FILE=$2
|
||||
|
||||
# Grab the list of containers on the remote site
|
||||
RESULT=$(openstack container list 2>&1)
|
||||
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo $RESULT | grep $CONTAINER_NAME
|
||||
if [[ $? -ne 0 ]]; then
|
||||
# Find the swift URL from the keystone endpoint list
|
||||
SWIFT_URL=$(openstack catalog show object-store -c endpoints | grep public | awk '{print $4}')
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Unable to get object-store enpoints from keystone catalog."
|
||||
return 2
|
||||
fi
|
||||
|
||||
# Get a token from keystone
|
||||
TOKEN=$(openstack token issue -f value -c id)
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Unable to get keystone token."
|
||||
return 2
|
||||
fi
|
||||
|
||||
# Create the container
|
||||
RES_FILE=$(mktemp -p /tmp)
|
||||
curl -g -i -X PUT ${SWIFT_URL}/${CONTAINER_NAME} \
|
||||
-H "X-Auth-Token: ${TOKEN}" \
|
||||
-H "X-Storage-Policy: ${STORAGE_POLICY}" 2>&1 > $RES_FILE
|
||||
|
||||
if [[ $? -ne 0 || $(grep "HTTP" $RES_FILE | awk '{print $2}') -ge 400 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Unable to create container ${CONTAINER_NAME}"
|
||||
cat $RES_FILE
|
||||
rm -f $RES_FILE
|
||||
return 2
|
||||
fi
|
||||
rm -f $RES_FILE
|
||||
|
||||
swift stat $CONTAINER_NAME
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Unable to retrieve container ${CONTAINER_NAME} details after creation."
|
||||
return 2
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo $RESULT | grep -E "HTTP 401|HTTP 403"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
log ERROR "${DB_NAME}_backup" "Access denied by keystone: ${RESULT}"
|
||||
return 1
|
||||
else
|
||||
echo $RESULT | grep -E "ConnectionError|Failed to discover available identity versions|Service Unavailable|HTTP 50"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Could not reach the RGW: ${RESULT}"
|
||||
# In this case, keystone or the site/node may be temporarily down.
|
||||
# Return slightly different error code so the calling code can retry
|
||||
return 2
|
||||
else
|
||||
log ERROR "${DB_NAME}_backup" "Could not get container list: ${RESULT}"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# load balance delay
|
||||
DELAY=$((1 + ${RANDOM} % 30))
|
||||
echo "Sleeping for ${DELAY} seconds to spread the load in time..."
|
||||
sleep ${DELAY}
|
||||
|
||||
# Create an object to store the file
|
||||
openstack object create --name $FILE $CONTAINER_NAME $FILEPATH/$FILE
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Cannot create container object ${FILE}!"
|
||||
return 2
|
||||
fi
|
||||
|
||||
openstack object show $CONTAINER_NAME $FILE
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log WARN "${DB_NAME}_backup" "Unable to retrieve container object $FILE after creation."
|
||||
return 2
|
||||
fi
|
||||
|
||||
# Remote backup verification
|
||||
MD5_REMOTE=$(openstack object show $CONTAINER_NAME $FILE -f json | jq -r ".etag")
|
||||
MD5_LOCAL=$(cat ${FILEPATH}/${FILE} | md5sum | awk '{print $1}')
|
||||
log INFO "${DB_NAME}_backup" "Obtained MD5 hash for the file $FILE in container $CONTAINER_NAME."
|
||||
log INFO "${DB_NAME}_backup" "Local MD5 hash is ${MD5_LOCAL}."
|
||||
log INFO "${DB_NAME}_backup" "Remote MD5 hash is ${MD5_REMOTE}."
|
||||
if [[ "${MD5_LOCAL}" == "${MD5_REMOTE}" ]]; then
|
||||
log INFO "${DB_NAME}_backup" "The local backup & remote backup MD5 hash values are matching for file $FILE in container $CONTAINER_NAME."
|
||||
else
|
||||
log ERROR "${DB_NAME}_backup" "Mismatch between the local backup & remote backup MD5 hash values"
|
||||
return 2
|
||||
fi
|
||||
rm -rf ${REMOTE_FILE}
|
||||
|
||||
log INFO "${DB_NAME}_backup" "Created file $FILE in container $CONTAINER_NAME successfully."
|
||||
return 0
|
||||
}
|
||||
|
||||
# This function attempts to store the built tarball to the remote gateway,
|
||||
# with built-in logic to handle error cases like:
|
||||
# 1) Network connectivity issues - retries for a specific amount of time
|
||||
# 2) Authorization errors - immediately logs an ERROR and returns
|
||||
store_backup_remotely() {
|
||||
FILEPATH=$1
|
||||
FILE=$2
|
||||
|
||||
count=1
|
||||
while [[ ${count} -le ${REMOTE_BACKUP_RETRIES} ]]; do
|
||||
# Store the new archive to the remote backup storage facility.
|
||||
send_to_remote_server $FILEPATH $FILE
|
||||
SEND_RESULT="$?"
|
||||
|
||||
# Check if successful
|
||||
if [[ $SEND_RESULT -eq 0 ]]; then
|
||||
log INFO "${DB_NAME}_backup" "Backup file ${FILE} successfully sent to RGW."
|
||||
return 0
|
||||
elif [[ $SEND_RESULT -eq 2 ]]; then
|
||||
if [[ ${count} -ge ${REMOTE_BACKUP_RETRIES} ]]; then
|
||||
log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW in " \
|
||||
"${REMOTE_BACKUP_RETRIES} retries. Errors encountered. Exiting."
|
||||
break
|
||||
fi
|
||||
# Temporary failure occurred. We need to retry
|
||||
log WARN "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to RGW due to connection issue."
|
||||
sleep_time=$(random_number)
|
||||
log INFO "${DB_NAME}_backup" "Sleeping ${sleep_time} seconds waiting for RGW to become available..."
|
||||
sleep ${sleep_time}
|
||||
log INFO "${DB_NAME}_backup" "Retrying..."
|
||||
else
|
||||
log ERROR "${DB_NAME}_backup" "Backup file ${FILE} could not be sent to the RGW. Errors encountered. Exiting."
|
||||
break
|
||||
fi
|
||||
|
||||
# Increment the counter
|
||||
count=$((count+1))
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
function get_archive_date(){
|
||||
# get_archive_date function returns correct archive date
|
||||
# for different formats of archives' names
|
||||
# the old one: <database name>.<namespace>.<table name | all>.<date-time>.tar.gz
|
||||
# the new one: <database name>.<namespace>.<table name | all>.<backup mode>.<date-time>.tar.gz
|
||||
local A_FILE="$1"
|
||||
awk -F. '{print $(NF-2)}' <<< ${A_FILE} | tr -d "Z"
|
||||
}
|
||||
|
||||
# This function takes a list of archives' names as an input
|
||||
# and creates a hash table where keys are number of seconds
|
||||
# between current date and archive date (see seconds_difference),
|
||||
# and values are space separated archives' names
|
||||
#
|
||||
# +------------+---------------------------------------------------------------------------------------------------------+
|
||||
# | 1265342678 | "tmp/mysql.backup.auto.2022-02-14T10:13:13Z.tar.gz" |
|
||||
# +------------+---------------------------------------------------------------------------------------------------------+
|
||||
# | 2346254257 | "tmp/mysql.backup.auto.2022-02-11T10:13:13Z.tar.gz tmp/mysql.backup.manual.2022-02-11T10:13:13Z.tar.gz" |
|
||||
# +------------+---------------------------------------------------------------------------------------------------------+
|
||||
# <...>
|
||||
# +------------+---------------------------------------------------------------------------------------------------------+
|
||||
# | 6253434567 | "tmp/mysql.backup.manual.2022-02-01T10:13:13Z.tar.gz" |
|
||||
# +------------+---------------------------------------------------------------------------------------------------------+
|
||||
# We will use the explained above data stracture to cover rare, but still
|
||||
# possible case, when we have several backups of the same date. E.g.
|
||||
# one manual, and one automatic.
|
||||
|
||||
declare -A fileTable
|
||||
create_hash_table() {
|
||||
unset fileTable
|
||||
fileList=$@
|
||||
for ARCHIVE_FILE in ${fileList}; do
|
||||
# Creating index, we will round given ARCHIVE_DATE to the midnight (00:00:00)
|
||||
# to take in account a possibility, that we can have more than one scheduled
|
||||
# backup per day.
|
||||
ARCHIVE_DATE=$(get_archive_date ${ARCHIVE_FILE})
|
||||
ARCHIVE_DATE=$(date --date=${ARCHIVE_DATE} +%D)
|
||||
log INFO "${DB_NAME}_backup" "Archive date to build index: ${ARCHIVE_DATE}"
|
||||
INDEX=$(seconds_difference ${ARCHIVE_DATE})
|
||||
if [[ -z fileTable[${INDEX}] ]]; then
|
||||
fileTable[${INDEX}]=${ARCHIVE_FILE}
|
||||
else
|
||||
fileTable[${INDEX}]="${fileTable[${INDEX}]} ${ARCHIVE_FILE}"
|
||||
fi
|
||||
echo "INDEX: ${INDEX} VALUE: ${fileTable[${INDEX}]}"
|
||||
done
|
||||
}
|
||||
|
||||
function get_backup_prefix() {
|
||||
# Create list of all possible prefixes in a format:
|
||||
# <db_name>.<namespace> to cover a possible situation
|
||||
# when different backups of different databases and/or
|
||||
# namespaces share the same local or remote storage.
|
||||
ALL_FILES=($@)
|
||||
PREFIXES=()
|
||||
for fname in ${ALL_FILES[@]}; do
|
||||
prefix=$(basename ${fname} | cut -d'.' -f1,2 )
|
||||
for ((i=0; i<${#PREFIXES[@]}; i++)) do
|
||||
if [[ ${PREFIXES[${i}]} == ${prefix} ]]; then
|
||||
prefix=""
|
||||
break
|
||||
fi
|
||||
done
|
||||
if [[ ! -z ${prefix} ]]; then
|
||||
PREFIXES+=(${prefix})
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
remove_old_local_archives() {
|
||||
SECONDS_TO_KEEP=$(( $((${LOCAL_DAYS_TO_KEEP}))*86400))
|
||||
log INFO "${DB_NAME}_backup" "Deleting backups older than ${LOCAL_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
|
||||
if [[ -d $ARCHIVE_DIR ]]; then
|
||||
count=0
|
||||
# We iterate over the hash table, checking the delta in seconds (hash keys),
|
||||
# and minimum number of backups we must have in place. List of keys has to be sorted.
|
||||
for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
|
||||
ARCHIVE_FILE=${fileTable[${INDEX}]}
|
||||
if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${LOCAL_DAYS_TO_KEEP} ]]; then
|
||||
((count++))
|
||||
log INFO "${DB_NAME}_backup" "Keeping file(s) ${ARCHIVE_FILE}."
|
||||
else
|
||||
log INFO "${DB_NAME}_backup" "Deleting file(s) ${ARCHIVE_FILE}."
|
||||
rm -f ${ARCHIVE_FILE}
|
||||
if [[ $? -ne 0 ]]; then
|
||||
# Log error but don't exit so we can finish the script
|
||||
# because at this point we haven't sent backup to RGW yet
|
||||
log ERROR "${DB_NAME}_backup" "Failed to cleanup local backup. Cannot remove some of ${ARCHIVE_FILE}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
log WARN "${DB_NAME}_backup" "The local backup directory ${$ARCHIVE_DIR} does not exist."
|
||||
fi
|
||||
}
|
||||
|
||||
prepare_list_of_remote_backups() {
|
||||
BACKUP_FILES=$(mktemp -p /tmp)
|
||||
DB_BACKUP_FILES=$(mktemp -p /tmp)
|
||||
openstack object list $CONTAINER_NAME > $BACKUP_FILES
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log_backup_error_exit \
|
||||
"Failed to cleanup remote backup. Could not obtain a list of current backup files in the RGW"
|
||||
fi
|
||||
# Filter out other types of backup files
|
||||
cat $BACKUP_FILES | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $DB_BACKUP_FILES
|
||||
}
|
||||
|
||||
# The logic implemented with this function is absolutely similar
|
||||
# to the function remove_old_local_archives (see above)
|
||||
remove_old_remote_archives() {
|
||||
count=0
|
||||
SECONDS_TO_KEEP=$((${REMOTE_DAYS_TO_KEEP}*86400))
|
||||
log INFO "${DB_NAME}_backup" "Deleting backups older than ${REMOTE_DAYS_TO_KEEP} days (${SECONDS_TO_KEEP} seconds)"
|
||||
for INDEX in $(tr " " "\n" <<< ${!fileTable[@]} | sort -n -); do
|
||||
ARCHIVE_FILE=${fileTable[${INDEX}]}
|
||||
if [[ ${INDEX} -lt ${SECONDS_TO_KEEP} || ${count} -lt ${REMOTE_DAYS_TO_KEEP} ]]; then
|
||||
((count++))
|
||||
log INFO "${DB_NAME}_backup" "Keeping remote backup(s) ${ARCHIVE_FILE}."
|
||||
else
|
||||
log INFO "${DB_NAME}_backup" "Deleting remote backup(s) ${ARCHIVE_FILE} from the RGW"
|
||||
openstack object delete ${CONTAINER_NAME} ${ARCHIVE_FILE} || log WARN "${DB_NAME}_backup" \
|
||||
"Failed to cleanup remote backup. Cannot delete container object ${ARCHIVE_FILE}"
|
||||
fi
|
||||
done
|
||||
|
||||
# Cleanup now that we're done.
|
||||
for fd in ${BACKUP_FILES} ${DB_BACKUP_FILES}; do
|
||||
if [[ -f ${fd} ]]; then
|
||||
rm -f ${fd}
|
||||
else
|
||||
log WARN "${DB_NAME}_backup" "Can not delete a temporary file ${fd}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# Main function to backup the databases. Calling functions need to supply:
|
||||
# 1) The directory where the final backup will be kept after it is compressed.
|
||||
# 2) A temporary directory to use for placing database files to be compressed.
|
||||
# Note: this temp directory will be deleted after backup is done.
|
||||
# 3) Optional "scope" parameter indicating what database to back up. Defaults
|
||||
# to "all".
|
||||
backup_databases() {
|
||||
SCOPE=${1:-"all"}
|
||||
|
||||
# Create necessary directories if they do not exist.
|
||||
mkdir -p $ARCHIVE_DIR || log_backup_error_exit \
|
||||
"Backup of the ${DB_NAME} database failed. Cannot create directory ${ARCHIVE_DIR}!"
|
||||
export TMP_DIR=$(mktemp -d) || log_backup_error_exit \
|
||||
"Backup of the ${DB_NAME} database failed. Cannot create temp directory!"
|
||||
|
||||
# Create temporary log file
|
||||
export ERR_LOG_FILE=$(mktemp -p /tmp) || log_backup_error_exit \
|
||||
"Backup of the ${DB_NAME} database failed. Cannot create log file!"
|
||||
|
||||
# It is expected that this function will dump the database files to the $TMP_DIR
|
||||
dump_databases_to_directory $TMP_DIR $ERR_LOG_FILE $SCOPE
|
||||
|
||||
# If successful, there should be at least one file in the TMP_DIR
|
||||
if [[ $? -ne 0 || $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
|
||||
cat $ERR_LOG_FILE
|
||||
log_backup_error_exit "Backup of the ${DB_NAME} database failed and needs attention."
|
||||
fi
|
||||
|
||||
log INFO "${DB_NAME}_backup" "Databases dumped successfully. Creating tarball..."
|
||||
|
||||
NOW=$(date +"%Y-%m-%dT%H:%M:%SZ")
|
||||
if [[ -z "${BACK_UP_MODE}" ]]; then
|
||||
TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${NOW}.tar.gz"
|
||||
else
|
||||
TARBALL_FILE="${DB_NAME}.${DB_NAMESPACE}.${SCOPE}.${BACK_UP_MODE}.${NOW}.tar.gz"
|
||||
fi
|
||||
|
||||
cd $TMP_DIR || log_backup_error_exit \
|
||||
"Backup of the ${DB_NAME} database failed. Cannot change to directory $TMP_DIR"
|
||||
|
||||
#Archive the current database files
|
||||
tar zcvf $ARCHIVE_DIR/$TARBALL_FILE *
|
||||
if [[ $? -ne 0 ]]; then
|
||||
log_backup_error_exit \
|
||||
"Backup ${DB_NAME} to local file system failed. Backup tarball could not be created."
|
||||
fi
|
||||
|
||||
# Get the size of the file
|
||||
ARCHIVE_SIZE=$(ls -l $ARCHIVE_DIR/$TARBALL_FILE | awk '{print $5}')
|
||||
|
||||
log INFO "${DB_NAME}_backup" "Tarball $TARBALL_FILE created successfully."
|
||||
|
||||
cd $ARCHIVE_DIR
|
||||
|
||||
#Only delete the old archive after a successful archive
|
||||
export LOCAL_DAYS_TO_KEEP=$(echo $LOCAL_DAYS_TO_KEEP | sed 's/"//g')
|
||||
if [[ "$LOCAL_DAYS_TO_KEEP" -gt 0 ]]; then
|
||||
get_backup_prefix $(ls -1 ${ARCHIVE_DIR}/*.gz)
|
||||
for ((i=0; i<${#PREFIXES[@]}; i++)); do
|
||||
echo "Working with prefix: ${PREFIXES[i]}"
|
||||
create_hash_table $(ls -1 ${ARCHIVE_DIR}/${PREFIXES[i]}*.gz)
|
||||
remove_old_local_archives
|
||||
done
|
||||
fi
|
||||
|
||||
# Local backup verification process
|
||||
|
||||
# It is expected that this function will verify the database backup files
|
||||
if verify_databases_backup_archives ${SCOPE}; then
|
||||
log INFO "${DB_NAME}_backup_verify" "Databases backup verified successfully. Uploading verified backups to remote location..."
|
||||
else
|
||||
# If successful, there should be at least one file in the TMP_DIR
|
||||
if [[ $(ls $TMP_DIR | wc -w) -eq 0 ]]; then
|
||||
cat $ERR_LOG_FILE
|
||||
fi
|
||||
log_verify_backup_exit "Verify of the ${DB_NAME} database backup failed and needs attention."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Remove the temporary directory and files as they are no longer needed.
|
||||
rm -rf $TMP_DIR
|
||||
rm -f $ERR_LOG_FILE
|
||||
|
||||
# Remote backup
|
||||
REMOTE_BACKUP=$(echo $REMOTE_BACKUP_ENABLED | sed 's/"//g')
|
||||
if $REMOTE_BACKUP; then
|
||||
# Remove Quotes from the constants which were added due to reading
|
||||
# from secret.
|
||||
export REMOTE_BACKUP_RETRIES=$(echo $REMOTE_BACKUP_RETRIES | sed 's/"//g')
|
||||
export MIN_DELAY_SEND_REMOTE=$(echo $MIN_DELAY_SEND_REMOTE | sed 's/"//g')
|
||||
export MAX_DELAY_SEND_REMOTE=$(echo $MAX_DELAY_SEND_REMOTE | sed 's/"//g')
|
||||
export REMOTE_DAYS_TO_KEEP=$(echo $REMOTE_DAYS_TO_KEEP | sed 's/"//g')
|
||||
|
||||
store_backup_remotely $ARCHIVE_DIR $TARBALL_FILE
|
||||
if [[ $? -ne 0 ]]; then
|
||||
# This error should print first, then print the summary as the last
|
||||
# thing that the user sees in the output.
|
||||
log ERROR "${DB_NAME}_backup" "Backup ${TARBALL_FILE} could not be sent to remote RGW."
|
||||
echo "=================================================================="
|
||||
echo "Local backup successful, but could not send to remote RGW."
|
||||
echo "Backup archive name: $TARBALL_FILE"
|
||||
echo "Backup archive size: $ARCHIVE_SIZE"
|
||||
echo "=================================================================="
|
||||
# Because the local backup was successful, exit with 0 so the pod will not
|
||||
# continue to restart and fill the disk with more backups. The ERRORs are
|
||||
# logged and alerting system should catch those errors and flag the operator.
|
||||
exit 0
|
||||
fi
|
||||
|
||||
#Only delete the old archive after a successful archive
|
||||
if [[ "$REMOTE_DAYS_TO_KEEP" -gt 0 ]]; then
|
||||
prepare_list_of_remote_backups
|
||||
get_backup_prefix $(cat $DB_BACKUP_FILES)
|
||||
for ((i=0; i<${#PREFIXES[@]}; i++)); do
|
||||
echo "Working with prefix: ${PREFIXES[i]}"
|
||||
create_hash_table $(cat ${DB_BACKUP_FILES} | grep ${PREFIXES[i]})
|
||||
remove_old_remote_archives
|
||||
done
|
||||
fi
|
||||
|
||||
echo "=================================================================="
|
||||
echo "Local backup and backup to remote RGW successful!"
|
||||
echo "Backup archive name: $TARBALL_FILE"
|
||||
echo "Backup archive size: $ARCHIVE_SIZE"
|
||||
echo "=================================================================="
|
||||
else
|
||||
# Remote backup is not enabled. This is ok; at least we have a local backup.
|
||||
log INFO "${DB_NAME}_backup" "Skipping remote backup, as it is not enabled."
|
||||
|
||||
echo "=================================================================="
|
||||
echo "Local backup successful!"
|
||||
echo "Backup archive name: $TARBALL_FILE"
|
||||
echo "Backup archive size: $ARCHIVE_SIZE"
|
||||
echo "=================================================================="
|
||||
fi
|
||||
}
|
||||
{{- end }}
|
@ -0,0 +1,616 @@
|
||||
{{- define "helm-toolkit.scripts.db-backup-restore.restore_main" }}
|
||||
#!/bin/bash
|
||||
|
||||
# This file contains a database restore framework which database scripts
|
||||
# can use to perform a backup. The idea here is that the database-specific
|
||||
# functions will be implemented by the various databases using this script
|
||||
# (like mariadb, postgresql or etcd for example). The database-specific
|
||||
# script will need to first "source" this file like this:
|
||||
# source /tmp/restore_main.sh
|
||||
#
|
||||
# Then the script should call the main CLI function (cli_main):
|
||||
# cli_main <arg_list>
|
||||
# where:
|
||||
# <arg_list> is the list of arguments given by the user
|
||||
#
|
||||
# The framework will require the following variables to be exported:
|
||||
#
|
||||
# export DB_NAMESPACE Namespace where the database(s) reside
|
||||
# export DB_NAME Name of the database system
|
||||
# export ARCHIVE_DIR Location where the backup tarballs should
|
||||
# be stored. (full directory path which
|
||||
# should already exist)
|
||||
# export CONTAINER_NAME Name of the container on the RGW where
|
||||
# the backups are stored.
|
||||
# RGW access variables:
|
||||
# export OS_REGION_NAME Name of the region the RGW resides in
|
||||
# export OS_AUTH_URL Keystone URL associated with the RGW
|
||||
# export OS_PROJECT_NAME Name of the project associated with the
|
||||
# keystone user
|
||||
# export OS_USERNAME Name of the keystone user
|
||||
# export OS_PASSWORD Password of the keystone user
|
||||
# export OS_USER_DOMAIN_NAME Keystone domain the project belongs to
|
||||
# export OS_PROJECT_DOMAIN_NAME Keystone domain the user belongs to
|
||||
# export OS_IDENTITY_API_VERSION Keystone API version to use
|
||||
#
|
||||
# The database-specific functions that need to be implemented are:
|
||||
# get_databases
|
||||
# where:
|
||||
# <tmp_dir> is the full directory path where the decompressed
|
||||
# database files reside
|
||||
# <db_file> is the full path of the file to write the database
|
||||
# names into, one database per line
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to extract the database names from the
|
||||
# uncompressed database files found in the given "tmp_dir", which is
|
||||
# the staging directory for database restore. The database names
|
||||
# should be written to the given "db_file", one database name per
|
||||
# line.
|
||||
#
|
||||
# get_tables
|
||||
# <db_name> is the name of the database to get the tables from
|
||||
# <tmp_dir> is the full directory path where the decompressed
|
||||
# database files reside
|
||||
# <table_file> is the full path of the file to write the table
|
||||
# names into, one table per line
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to extract the table names from the given
|
||||
# database, found in the uncompressed database files located in the
|
||||
# given "tmp_dir", which is the staging directory for database restore.
|
||||
# The table names should be written to the given "table_file", one
|
||||
# table name per line.
|
||||
#
|
||||
# get_rows
|
||||
# <table_name> is the name of the table to get the rows from
|
||||
# <db_name> is the name of the database the table resides in
|
||||
# <tmp_dir> is the full directory path where the decompressed
|
||||
# database files reside
|
||||
# <rows_file> is the full path of the file to write the table
|
||||
# row data into, one row (INSERT statement) per line
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to extract the rows from the given table
|
||||
# in the given database, found in the uncompressed database files
|
||||
# located in the given "tmp_dir", which is the staging directory for
|
||||
# database restore. The table rows should be written to the given
|
||||
# "rows_file", one row (INSERT statement) per line.
|
||||
#
|
||||
# get_schema
|
||||
# <table_name> is the name of the table to get the schema from
|
||||
# <db_name> is the name of the database the table resides in
|
||||
# <tmp_dir> is the full directory path where the decompressed
|
||||
# database files reside
|
||||
# <schema_file> is the full path of the file to write the table
|
||||
# schema data into
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to extract the schema from the given table
|
||||
# in the given database, found in the uncompressed database files
|
||||
# located in the given "tmp_dir", which is the staging directory for
|
||||
# database restore. The table schema and related alterations and
|
||||
# grant information should be written to the given "schema_file".
|
||||
#
|
||||
# restore_single_db
|
||||
# where:
|
||||
# <db_name> is the name of the database to be restored
|
||||
# <tmp_dir> is the full directory path where the decompressed
|
||||
# database files reside
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to restore the database given as "db_name"
|
||||
# using the database files located in the "tmp_dir". The framework
|
||||
# will delete the "tmp_dir" and the files in it after the restore is
|
||||
# complete.
|
||||
#
|
||||
# restore_all_dbs
|
||||
# where:
|
||||
# <tmp_dir> is the full directory path where the decompressed
|
||||
# database files reside
|
||||
# returns: 0 if no errors; 1 if any errors occurred
|
||||
#
|
||||
# This function is expected to restore all of the databases which
|
||||
# are backed up in the database files located in the "tmp_dir". The
|
||||
# framework will delete the "tmp_dir" and the files in it after the
|
||||
# restore is complete.
|
||||
#
|
||||
# The functions in this file will take care of:
|
||||
# 1) The CLI parameter parsing for the arguments passed in by the user.
|
||||
# 2) The listing of either local or remote archive files at the request
|
||||
# of the user.
|
||||
# 3) The retrieval/download of an archive file located either in the local
|
||||
# file system or remotely stored on an RGW.
|
||||
# 4) Calling either "restore_single_db" or "restore_all_dbs" when the user
|
||||
# chooses to restore a database or all databases.
|
||||
# 5) The framework will call "get_databases" when it needs a list of
|
||||
# databases when the user requests a database list or when the user
|
||||
# requests to restore a single database (to ensure it exists in the
|
||||
# archive). Similarly, the framework will call "get_tables", "get_rows",
|
||||
# or "get_schema" when it needs that data requested by the user.
|
||||
#
|
||||
|
||||
usage() {
|
||||
ret_val=$1
|
||||
echo "Usage:"
|
||||
echo "Restore command options"
|
||||
echo "============================="
|
||||
echo "help"
|
||||
echo "list_archives [remote]"
|
||||
echo "list_databases <archive_filename> [remote]"
|
||||
echo "list_tables <archive_filename> <dbname> [remote]"
|
||||
echo "list_rows <archive_filename> <dbname> <table_name> [remote]"
|
||||
echo "list_schema <archive_filename> <dbname> <table_name> [remote]"
|
||||
echo "restore <archive_filename> <db_specifier> [remote]"
|
||||
echo " where <db_specifier> = <dbname> | ALL"
|
||||
echo "delete_archive <archive_filename> [remote]"
|
||||
clean_and_exit $ret_val ""
|
||||
}
|
||||
|
||||
#Exit cleanly with some message and return code
|
||||
clean_and_exit() {
|
||||
RETCODE=$1
|
||||
MSG=$2
|
||||
|
||||
# Clean/remove temporary directories/files
|
||||
rm -rf $TMP_DIR
|
||||
rm -f $RESULT_FILE
|
||||
|
||||
if [[ "x${MSG}" != "x" ]]; then
|
||||
echo $MSG
|
||||
fi
|
||||
exit $RETCODE
|
||||
}
|
||||
|
||||
determine_resulting_error_code() {
|
||||
RESULT="$1"
|
||||
|
||||
echo ${RESULT} | grep "HTTP 404"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "Could not find the archive: ${RESULT}"
|
||||
return 1
|
||||
else
|
||||
echo ${RESULT} | grep "HTTP 401"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "Could not access the archive: ${RESULT}"
|
||||
return 1
|
||||
else
|
||||
echo ${RESULT} | grep "HTTP 503"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "RGW service is unavailable. ${RESULT}"
|
||||
# In this case, the RGW may be temporarily down.
|
||||
# Return slightly different error code so the calling code can retry
|
||||
return 2
|
||||
else
|
||||
echo ${RESULT} | grep "ConnectionError"
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "Could not reach the RGW: ${RESULT}"
|
||||
# In this case, keystone or the site/node may be temporarily down.
|
||||
# Return slightly different error code so the calling code can retry
|
||||
return 2
|
||||
else
|
||||
echo "Archive ${ARCHIVE} could not be retrieved: ${RESULT}"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Retrieve a list of archives from the RGW.
|
||||
retrieve_remote_listing() {
|
||||
RESULT=$(openstack container show $CONTAINER_NAME 2>&1)
|
||||
if [[ $? -eq 0 ]]; then
|
||||
# Get the list, ensureing that we only pick up the right kind of backups from the
|
||||
# requested namespace
|
||||
openstack object list $CONTAINER_NAME | grep $DB_NAME | grep $DB_NAMESPACE | awk '{print $2}' > $TMP_DIR/archive_list
|
||||
if [[ $? -ne 0 ]]; then
|
||||
echo "Container object listing could not be obtained."
|
||||
return 1
|
||||
else
|
||||
echo "Archive listing successfully retrieved."
|
||||
fi
|
||||
else
|
||||
determine_resulting_error_code "${RESULT}"
|
||||
return $?
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Retrieve a single archive from the RGW.
|
||||
retrieve_remote_archive() {
|
||||
ARCHIVE=$1
|
||||
|
||||
RESULT=$(openstack object save --file $TMP_DIR/$ARCHIVE $CONTAINER_NAME $ARCHIVE 2>&1)
|
||||
if [[ $? -ne 0 ]]; then
|
||||
determine_resulting_error_code "${RESULT}"
|
||||
return $?
|
||||
else
|
||||
echo "Archive $ARCHIVE successfully retrieved."
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Delete an archive from the RGW.
|
||||
delete_remote_archive() {
|
||||
ARCHIVE=$1
|
||||
|
||||
RESULT=$(openstack object delete ${CONTAINER_NAME} ${ARCHIVE} 2>&1)
|
||||
if [[ $? -ne 0 ]]; then
|
||||
determine_resulting_error_code "${RESULT}"
|
||||
return $?
|
||||
else
|
||||
echo "Archive ${ARCHIVE} successfully deleted."
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# Display all archives
|
||||
list_archives() {
|
||||
REMOTE=$1
|
||||
|
||||
if [[ "x${REMOTE^^}" == "xREMOTE" ]]; then
|
||||
retrieve_remote_listing
|
||||
if [[ $? -eq 0 && -e $TMP_DIR/archive_list ]]; then
|
||||
echo
|
||||
echo "All Archives from RGW Data Store"
|
||||
echo "=============================================="
|
||||
cat $TMP_DIR/archive_list | sort
|
||||
clean_and_exit 0 ""
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Archives could not be retrieved from the RGW."
|
||||
fi
|
||||
elif [[ "x${REMOTE}" == "x" ]]; then
|
||||
if [[ -d $ARCHIVE_DIR ]]; then
|
||||
archives=$(find $ARCHIVE_DIR/ -iname "*.gz" -print | sort)
|
||||
echo
|
||||
echo "All Local Archives"
|
||||
echo "=============================================="
|
||||
for archive in $archives
|
||||
do
|
||||
echo $archive | cut -d '/' -f8-
|
||||
done
|
||||
clean_and_exit 0 ""
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Local archive directory is not available."
|
||||
fi
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Retrieve the archive from the desired location and decompress it into
|
||||
# the restore directory
|
||||
get_archive() {
|
||||
ARCHIVE_FILE=$1
|
||||
REMOTE=$2
|
||||
|
||||
if [[ "x$REMOTE" == "xremote" ]]; then
|
||||
echo "Retrieving archive ${ARCHIVE_FILE} from the remote RGW..."
|
||||
retrieve_remote_archive $ARCHIVE_FILE
|
||||
if [[ $? -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not retrieve remote archive: $ARCHIVE_FILE"
|
||||
fi
|
||||
elif [[ "x$REMOTE" == "x" ]]; then
|
||||
if [[ -e $ARCHIVE_DIR/$ARCHIVE_FILE ]]; then
|
||||
cp $ARCHIVE_DIR/$ARCHIVE_FILE $TMP_DIR/$ARCHIVE_FILE
|
||||
if [[ $? -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not copy local archive to restore directory."
|
||||
fi
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Local archive file could not be found."
|
||||
fi
|
||||
else
|
||||
usage 1
|
||||
fi
|
||||
|
||||
echo "Decompressing archive $ARCHIVE_FILE..."
|
||||
cd $TMP_DIR
|
||||
tar zxvf - < $TMP_DIR/$ARCHIVE_FILE 1>/dev/null
|
||||
if [[ $? -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Archive decompression failed."
|
||||
fi
|
||||
}
|
||||
|
||||
# Display all databases from an archive
|
||||
list_databases() {
|
||||
ARCHIVE_FILE=$1
|
||||
REMOTE=$2
|
||||
WHERE="local"
|
||||
|
||||
if [[ -n ${REMOTE} ]]; then
|
||||
WHERE="remote"
|
||||
fi
|
||||
|
||||
# Get the archive from the source location (local/remote)
|
||||
get_archive $ARCHIVE_FILE $REMOTE
|
||||
|
||||
# Expectation is that the database listing will be put into
|
||||
# the given file one database per line
|
||||
get_databases $TMP_DIR $RESULT_FILE
|
||||
if [[ "$?" -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not retrieve databases from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
|
||||
if [[ -f "$RESULT_FILE" ]]; then
|
||||
echo " "
|
||||
echo "Databases in the $WHERE archive $ARCHIVE_FILE"
|
||||
echo "================================================================================"
|
||||
cat $RESULT_FILE
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Databases file missing. Could not list databases from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
}
|
||||
|
||||
# Display all tables of a database from an archive
|
||||
list_tables() {
|
||||
ARCHIVE_FILE=$1
|
||||
DATABASE=$2
|
||||
REMOTE=$3
|
||||
WHERE="local"
|
||||
|
||||
if [[ -n ${REMOTE} ]]; then
|
||||
WHERE="remote"
|
||||
fi
|
||||
|
||||
# Get the archive from the source location (local/remote)
|
||||
get_archive $ARCHIVE_FILE $REMOTE
|
||||
|
||||
# Expectation is that the database listing will be put into
|
||||
# the given file one table per line
|
||||
get_tables $DATABASE $TMP_DIR $RESULT_FILE
|
||||
if [[ "$?" -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not retrieve tables for database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
|
||||
if [[ -f "$RESULT_FILE" ]]; then
|
||||
echo " "
|
||||
echo "Tables in database $DATABASE from $WHERE archive $ARCHIVE_FILE"
|
||||
echo "================================================================================"
|
||||
cat $RESULT_FILE
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Tables file missing. Could not list tables of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
}
|
||||
|
||||
# Display all rows of the given database table from an archive
|
||||
list_rows() {
|
||||
ARCHIVE_FILE=$1
|
||||
DATABASE=$2
|
||||
TABLE=$3
|
||||
REMOTE=$4
|
||||
WHERE="local"
|
||||
|
||||
if [[ -n ${REMOTE} ]]; then
|
||||
WHERE="remote"
|
||||
fi
|
||||
|
||||
# Get the archive from the source location (local/remote)
|
||||
get_archive $ARCHIVE_FILE $REMOTE
|
||||
|
||||
# Expectation is that the database listing will be put into
|
||||
# the given file one table per line
|
||||
get_rows $DATABASE $TABLE $TMP_DIR $RESULT_FILE
|
||||
if [[ "$?" -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not retrieve rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
|
||||
if [[ -f "$RESULT_FILE" ]]; then
|
||||
echo " "
|
||||
echo "Rows in table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
|
||||
echo "================================================================================"
|
||||
cat $RESULT_FILE
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Rows file missing. Could not list rows in table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
}
|
||||
|
||||
# Display the schema information of the given database table from an archive
|
||||
list_schema() {
|
||||
ARCHIVE_FILE=$1
|
||||
DATABASE=$2
|
||||
TABLE=$3
|
||||
REMOTE=$4
|
||||
WHERE="local"
|
||||
|
||||
if [[ -n ${REMOTE} ]]; then
|
||||
WHERE="remote"
|
||||
fi
|
||||
|
||||
# Get the archive from the source location (local/remote)
|
||||
get_archive $ARCHIVE_FILE $REMOTE
|
||||
|
||||
# Expectation is that the schema information will be placed into
|
||||
# the given schema file.
|
||||
get_schema $DATABASE $TABLE $TMP_DIR $RESULT_FILE
|
||||
if [[ "$?" -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not retrieve schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
|
||||
if [[ -f "$RESULT_FILE" ]]; then
|
||||
echo " "
|
||||
echo "Schema for table $TABLE of database $DATABASE from $WHERE archive $ARCHIVE_FILE"
|
||||
echo "================================================================================"
|
||||
cat $RESULT_FILE
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Schema file missing. Could not list schema for table ${TABLE} of database ${DATABASE} from $WHERE archive $ARCHIVE_FILE."
|
||||
fi
|
||||
}
|
||||
|
||||
# Delete an archive
|
||||
delete_archive() {
|
||||
ARCHIVE_FILE=$1
|
||||
REMOTE=$2
|
||||
WHERE="local"
|
||||
|
||||
if [[ -n ${REMOTE} ]]; then
|
||||
WHERE="remote"
|
||||
fi
|
||||
|
||||
if [[ "${WHERE}" == "remote" ]]; then
|
||||
delete_remote_archive ${ARCHIVE_FILE}
|
||||
if [[ $? -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not delete remote archive: ${ARCHIVE_FILE}"
|
||||
fi
|
||||
else # Local
|
||||
if [[ -e ${ARCHIVE_DIR}/${ARCHIVE_FILE} ]]; then
|
||||
rm -f ${ARCHIVE_DIR}/${ARCHIVE_FILE}
|
||||
if [[ $? -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not delete local archive."
|
||||
fi
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Local archive file could not be found."
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Successfully deleted archive ${ARCHIVE_FILE} from ${WHERE} storage."
|
||||
}
|
||||
|
||||
|
||||
# Return 1 if the given database exists in the database file. 0 otherwise.
|
||||
database_exists() {
|
||||
DB=$1
|
||||
|
||||
grep "${DB}" ${RESULT_FILE}
|
||||
if [[ $? -eq 0 ]]; then
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
# This is the main CLI interpreter function
|
||||
cli_main() {
|
||||
ARGS=("$@")
|
||||
|
||||
# Create the ARCHIVE DIR if it's not already there.
|
||||
mkdir -p $ARCHIVE_DIR
|
||||
|
||||
# Create temp directory for a staging area to decompress files into
|
||||
export TMP_DIR=$(mktemp -d)
|
||||
|
||||
# Create a temp file for storing list of databases (if needed)
|
||||
export RESULT_FILE=$(mktemp -p /tmp)
|
||||
|
||||
case "${ARGS[0]}" in
|
||||
"help")
|
||||
usage 0
|
||||
;;
|
||||
|
||||
"list_archives")
|
||||
if [[ ${#ARGS[@]} -gt 2 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 1 ]]; then
|
||||
list_archives
|
||||
else
|
||||
list_archives ${ARGS[1]}
|
||||
fi
|
||||
clean_and_exit 0
|
||||
;;
|
||||
|
||||
"list_databases")
|
||||
if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 2 ]]; then
|
||||
list_databases ${ARGS[1]}
|
||||
else
|
||||
list_databases ${ARGS[1]} ${ARGS[2]}
|
||||
fi
|
||||
;;
|
||||
|
||||
"list_tables")
|
||||
if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 3 ]]; then
|
||||
list_tables ${ARGS[1]} ${ARGS[2]}
|
||||
else
|
||||
list_tables ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
|
||||
fi
|
||||
;;
|
||||
|
||||
"list_rows")
|
||||
if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 4 ]]; then
|
||||
list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
|
||||
else
|
||||
list_rows ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
|
||||
fi
|
||||
;;
|
||||
|
||||
"list_schema")
|
||||
if [[ ${#ARGS[@]} -lt 4 || ${#ARGS[@]} -gt 5 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 4 ]]; then
|
||||
list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]}
|
||||
else
|
||||
list_schema ${ARGS[1]} ${ARGS[2]} ${ARGS[3]} ${ARGS[4]}
|
||||
fi
|
||||
;;
|
||||
|
||||
"restore")
|
||||
REMOTE=""
|
||||
if [[ ${#ARGS[@]} -lt 3 || ${#ARGS[@]} -gt 4 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 4 ]]; then
|
||||
REMOTE=${ARGS[3]}
|
||||
fi
|
||||
|
||||
ARCHIVE=${ARGS[1]}
|
||||
DB_SPEC=${ARGS[2]}
|
||||
|
||||
#Get all the databases in that archive
|
||||
get_archive $ARCHIVE $REMOTE
|
||||
|
||||
if [[ "$( echo $DB_SPEC | tr '[a-z]' '[A-Z]')" != "ALL" ]]; then
|
||||
# Expectation is that the database listing will be put into
|
||||
# the given file one database per line
|
||||
get_databases $TMP_DIR $RESULT_FILE
|
||||
if [[ "$?" -ne 0 ]]; then
|
||||
clean_and_exit 1 "ERROR: Could not get the list of databases to restore."
|
||||
fi
|
||||
|
||||
if [[ ! $DB_NAMESPACE == "kube-system" ]]; then
|
||||
#check if the requested database is available in the archive
|
||||
database_exists $DB_SPEC
|
||||
if [[ $? -ne 1 ]]; then
|
||||
clean_and_exit 1 "ERROR: Database ${DB_SPEC} does not exist."
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "Restoring Database $DB_SPEC And Grants"
|
||||
restore_single_db $DB_SPEC $TMP_DIR
|
||||
if [[ "$?" -eq 0 ]]; then
|
||||
echo "Single database restored successfully."
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Single database restore failed."
|
||||
fi
|
||||
clean_and_exit 0 ""
|
||||
else
|
||||
echo "Restoring All The Databases. This could take a few minutes..."
|
||||
restore_all_dbs $TMP_DIR
|
||||
if [[ "$?" -eq 0 ]]; then
|
||||
echo "All databases restored successfully."
|
||||
else
|
||||
clean_and_exit 1 "ERROR: Database restore failed."
|
||||
fi
|
||||
clean_and_exit 0 ""
|
||||
fi
|
||||
;;
|
||||
"delete_archive")
|
||||
if [[ ${#ARGS[@]} -lt 2 || ${#ARGS[@]} -gt 3 ]]; then
|
||||
usage 1
|
||||
elif [[ ${#ARGS[@]} -eq 2 ]]; then
|
||||
delete_archive ${ARGS[1]}
|
||||
else
|
||||
delete_archive ${ARGS[1]} ${ARGS[2]}
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
usage 1
|
||||
;;
|
||||
esac
|
||||
|
||||
clean_and_exit 0 ""
|
||||
}
|
||||
{{- end }}
|
60
charts/deps/helm-toolkit/templates/snippets/_image.tpl
Normal file
60
charts/deps/helm-toolkit/templates/snippets/_image.tpl
Normal file
@ -0,0 +1,60 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Resolves an image reference to a string, and its pull policy
|
||||
values: |
|
||||
images:
|
||||
tags:
|
||||
test_image: docker.io/port/test:version-foo
|
||||
image_foo: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
||||
pull_policy: IfNotPresent
|
||||
local_registry:
|
||||
active: true
|
||||
exclude:
|
||||
- image_foo
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
local_image_registry:
|
||||
name: docker-registry
|
||||
namespace: docker-registry
|
||||
hosts:
|
||||
default: localhost
|
||||
internal: docker-registry
|
||||
node: localhost
|
||||
host_fqdn_override:
|
||||
default: null
|
||||
port:
|
||||
registry:
|
||||
node: 5000
|
||||
usage: |
|
||||
{{ tuple . "test_image" | include "helm-toolkit.snippets.image" }}
|
||||
return: |
|
||||
image: "localhost:5000/docker.io/port/test:version-foo"
|
||||
imagePullPolicy: IfNotPresent
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.image" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $image := index . 1 -}}
|
||||
{{- $imageTag := index $envAll.Values.images.tags $image -}}
|
||||
{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
|
||||
{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
|
||||
image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
|
||||
{{- else -}}
|
||||
image: {{ $imageTag | quote }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
|
||||
{{- end -}}
|
@ -0,0 +1,142 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns a set of container enviorment variables, equivlant to an openrc for
|
||||
use with keystone based command line clients.
|
||||
values: |
|
||||
secrets:
|
||||
identity:
|
||||
admin: example-keystone-admin
|
||||
usage: |
|
||||
{{ include "helm-toolkit.snippets.keystone_openrc_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.admin ) }}
|
||||
return: |
|
||||
- name: OS_IDENTITY_API_VERSION
|
||||
value: "3"
|
||||
- name: OS_AUTH_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_AUTH_URL
|
||||
- name: OS_REGION_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_REGION_NAME
|
||||
- name: OS_INTERFACE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_INTERFACE
|
||||
- name: OS_ENDPOINT_TYPE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_INTERFACE
|
||||
- name: OS_PROJECT_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_PROJECT_DOMAIN_NAME
|
||||
- name: OS_PROJECT_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_PROJECT_NAME
|
||||
- name: OS_USER_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_USER_DOMAIN_NAME
|
||||
- name: OS_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_USERNAME
|
||||
- name: OS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_PASSWORD
|
||||
- name: OS_CACERT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-admin
|
||||
key: OS_CACERT
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.keystone_openrc_env_vars" }}
|
||||
{{- $useCA := .useCA -}}
|
||||
{{- $ksUserSecret := .ksUserSecret }}
|
||||
- name: OS_IDENTITY_API_VERSION
|
||||
value: "3"
|
||||
- name: OS_AUTH_URL
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_AUTH_URL
|
||||
- name: OS_REGION_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_REGION_NAME
|
||||
- name: OS_INTERFACE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_INTERFACE
|
||||
- name: OS_ENDPOINT_TYPE
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_INTERFACE
|
||||
- name: OS_PROJECT_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_PROJECT_DOMAIN_NAME
|
||||
- name: OS_PROJECT_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_PROJECT_NAME
|
||||
- name: OS_USER_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_USER_DOMAIN_NAME
|
||||
- name: OS_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_USERNAME
|
||||
- name: OS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_PASSWORD
|
||||
- name: OS_DEFAULT_DOMAIN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_DEFAULT_DOMAIN
|
||||
{{- if $useCA }}
|
||||
- name: OS_CACERT
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_CACERT
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,32 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.keystone_secret_openrc" }}
|
||||
{{- $userClass := index . 0 -}}
|
||||
{{- $identityEndpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $userContext := index $context.Values.endpoints.identity.auth $userClass }}
|
||||
OS_AUTH_URL: {{ tuple "identity" $identityEndpoint "api" $context | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | b64enc }}
|
||||
OS_REGION_NAME: {{ $userContext.region_name | b64enc }}
|
||||
OS_INTERFACE: {{ $userContext.interface | default "internal" | b64enc }}
|
||||
OS_PROJECT_DOMAIN_NAME: {{ $userContext.project_domain_name | b64enc }}
|
||||
OS_PROJECT_NAME: {{ $userContext.project_name | b64enc }}
|
||||
OS_USER_DOMAIN_NAME: {{ $userContext.user_domain_name | b64enc }}
|
||||
OS_USERNAME: {{ $userContext.username | b64enc }}
|
||||
OS_PASSWORD: {{ $userContext.password | b64enc }}
|
||||
OS_DEFAULT_DOMAIN: {{ $userContext.default_domain_id | default "default" | b64enc }}
|
||||
{{- if $userContext.cacert }}
|
||||
OS_CACERT: {{ $userContext.cacert | b64enc }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,90 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns a set of container enviorment variables, for use with the keystone
|
||||
user management jobs.
|
||||
values: |
|
||||
secrets:
|
||||
identity:
|
||||
service_user: example-keystone-user
|
||||
usage: |
|
||||
{{ include "helm-toolkit.snippets.keystone_user_create_env_vars" ( dict "ksUserSecret" .Values.secrets.identity.service_user "useCA" true ) }}
|
||||
return: |
|
||||
- name: SERVICE_OS_REGION_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-user
|
||||
key: OS_REGION_NAME
|
||||
- name: SERVICE_OS_PROJECT_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-user
|
||||
key: OS_PROJECT_DOMAIN_NAME
|
||||
- name: SERVICE_OS_PROJECT_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-user
|
||||
key: OS_PROJECT_NAME
|
||||
- name: SERVICE_OS_USER_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-user
|
||||
key: OS_USER_DOMAIN_NAME
|
||||
- name: SERVICE_OS_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-user
|
||||
key: OS_USERNAME
|
||||
- name: SERVICE_OS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: example-keystone-user
|
||||
key: OS_PASSWORD
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.keystone_user_create_env_vars" }}
|
||||
{{- $ksUserSecret := .ksUserSecret }}
|
||||
- name: SERVICE_OS_REGION_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_REGION_NAME
|
||||
- name: SERVICE_OS_PROJECT_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_PROJECT_DOMAIN_NAME
|
||||
- name: SERVICE_OS_PROJECT_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_PROJECT_NAME
|
||||
- name: SERVICE_OS_USER_DOMAIN_NAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_USER_DOMAIN_NAME
|
||||
- name: SERVICE_OS_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_USERNAME
|
||||
- name: SERVICE_OS_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $ksUserSecret }}
|
||||
key: OS_PASSWORD
|
||||
{{- end }}
|
@ -0,0 +1,68 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders a configmap used for loading custom AppArmor profiles.
|
||||
values: |
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
configmap_apparmor: true
|
||||
apparmor_profiles: |-
|
||||
my_apparmor-v1.profile: |-
|
||||
#include <tunables/global>
|
||||
profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
|
||||
<profile_data>
|
||||
}
|
||||
usage: |
|
||||
{{ dict "envAll" . "component" "myComponent" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
|
||||
return: |
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: releaseName-myComponent-apparmor
|
||||
namespace: myNamespace
|
||||
data:
|
||||
my_apparmor-v1.profile: |-
|
||||
#include <tunables/global>
|
||||
profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
|
||||
<profile_data>
|
||||
}
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.kubernetes_apparmor_configmap" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $component := index . "component" -}}
|
||||
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
|
||||
{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
|
||||
{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
|
||||
{{- $mapName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
|
||||
{{- if $envAll.Values.conf.apparmor_profiles }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ $mapName }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
data:
|
||||
{{ $envAll.Values.conf.apparmor_profiles | toYaml | indent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,75 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders the init container used for apparmor loading.
|
||||
values: |
|
||||
images:
|
||||
tags:
|
||||
apparmor_loader: my-repo.io/apparmor-loader:1.0.0
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
configmap_apparmor: true
|
||||
apparmor-loader: unconfined
|
||||
usage: |
|
||||
{{ dict "envAll" . | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" }}
|
||||
return: |
|
||||
- name: apparmor-loader
|
||||
image: my-repo.io/apparmor-loader:1.0.0
|
||||
args:
|
||||
- /profiles
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: sys
|
||||
mountPath: /sys
|
||||
readOnly: true
|
||||
- name: includes
|
||||
mountPath: /etc/apparmor.d
|
||||
readOnly: true
|
||||
- name: profiles
|
||||
mountPath: /profiles
|
||||
readOnly: true
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
|
||||
{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
|
||||
{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
|
||||
- name: apparmor-loader
|
||||
image: {{ $envAll.Values.images.tags.apparmor_loader }}
|
||||
args:
|
||||
- /profiles
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: sys
|
||||
mountPath: /sys
|
||||
readOnly: true
|
||||
- name: includes
|
||||
mountPath: /etc/apparmor.d
|
||||
readOnly: true
|
||||
- name: profiles
|
||||
mountPath: /profiles
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,68 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders the volumes used by the apparmor loader.
|
||||
values: |
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
configmap_apparmor: true
|
||||
inputs: |
|
||||
envAll: "Environment or Context."
|
||||
component: "Name of the component used for the name of configMap."
|
||||
requireSys: "Boolean. True if it needs the hostpath /sys in volumes."
|
||||
usage: |
|
||||
{{ dict "envAll" . "component" "keystone" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" }}
|
||||
return: |
|
||||
- name: sys
|
||||
hostPath:
|
||||
path: /sys
|
||||
- name: includes
|
||||
hostPath:
|
||||
path: /etc/apparmor.d
|
||||
- name: profiles
|
||||
configMap:
|
||||
name: RELEASENAME-keystone-apparmor
|
||||
defaultMode: 0555
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.kubernetes_apparmor_volumes" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $component := index . "component" -}}
|
||||
{{- $requireSys := index . "requireSys" | default false -}}
|
||||
{{- $configName := printf "%s-%s-%s" $envAll.Release.Name $component "apparmor" -}}
|
||||
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "configmap_apparmor" -}}
|
||||
{{- if eq $envAll.Values.pod.mandatory_access_control.type "apparmor" -}}
|
||||
{{- if $envAll.Values.pod.mandatory_access_control.configmap_apparmor }}
|
||||
{{- if $requireSys }}
|
||||
- name: sys
|
||||
hostPath:
|
||||
path: /sys
|
||||
{{- end }}
|
||||
- name: includes
|
||||
hostPath:
|
||||
path: /etc/apparmor.d
|
||||
- name: profiles
|
||||
configMap:
|
||||
name: {{ $configName | quote }}
|
||||
defaultMode: 0555
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,48 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders securityContext for a Kubernetes container.
|
||||
For container level, see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#securitycontext-v1-core
|
||||
examples:
|
||||
- values: |
|
||||
pod:
|
||||
security_context:
|
||||
myApp:
|
||||
container:
|
||||
foo:
|
||||
runAsUser: 34356
|
||||
readOnlyRootFilesystem: true
|
||||
usage: |
|
||||
{{ dict "envAll" . "application" "myApp" "container" "foo" | include "helm-toolkit.snippets.kubernetes_container_security_context" }}
|
||||
return: |
|
||||
securityContext:
|
||||
readOnlyRootFilesystem: true
|
||||
runAsUser: 34356
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_container_security_context" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $application := index . "application" -}}
|
||||
{{- $container := index . "container" -}}
|
||||
{{- if hasKey $envAll.Values.pod "security_context" }}
|
||||
{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
|
||||
{{- if hasKey ( index $envAll.Values.pod.security_context $application "container" ) $container }}
|
||||
securityContext:
|
||||
{{ toYaml ( index $envAll.Values.pod.security_context $application "container" $container ) | indent 2 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,209 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns a container definition for use with the kubernetes-entrypoint image
|
||||
from stackanetes.
|
||||
values: |
|
||||
images:
|
||||
tags:
|
||||
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
|
||||
pull_policy: IfNotPresent
|
||||
local_registry:
|
||||
active: true
|
||||
exclude:
|
||||
- dep_check
|
||||
dependencies:
|
||||
dynamic:
|
||||
common:
|
||||
local_image_registry:
|
||||
jobs:
|
||||
- calico-image-repo-sync
|
||||
services:
|
||||
- endpoint: node
|
||||
service: local_image_registry
|
||||
static:
|
||||
calico_node:
|
||||
services:
|
||||
- endpoint: internal
|
||||
service: etcd
|
||||
custom_resources:
|
||||
- apiVersion: argoproj.io/v1alpha1
|
||||
kind: Workflow
|
||||
name: wf-example
|
||||
fields:
|
||||
- key: "status.phase"
|
||||
value: "Succeeded"
|
||||
endpoints:
|
||||
local_image_registry:
|
||||
namespace: docker-registry
|
||||
hosts:
|
||||
default: localhost
|
||||
node: localhost
|
||||
etcd:
|
||||
hosts:
|
||||
default: etcd
|
||||
# NOTE (portdirect): if the stanza, or a portion of it, under `pod` is not
|
||||
# specififed then the following will be used as defaults:
|
||||
# pod:
|
||||
# security_context:
|
||||
# kubernetes_entrypoint:
|
||||
# container:
|
||||
# kubernetes_entrypoint:
|
||||
# runAsUser: 65534
|
||||
# readOnlyRootFilesystem: true
|
||||
# allowPrivilegeEscalation: false
|
||||
pod:
|
||||
security_context:
|
||||
kubernetes_entrypoint:
|
||||
container:
|
||||
kubernetes_entrypoint:
|
||||
runAsUser: 0
|
||||
readOnlyRootFilesystem: false
|
||||
usage: |
|
||||
{{ tuple . "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" }}
|
||||
return: |
|
||||
- name: init
|
||||
image: "quay.io/airshipit/kubernetes-entrypoint:v1.0.0"
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
runAsUser: 0
|
||||
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INTERFACE_NAME
|
||||
value: eth0
|
||||
- name: PATH
|
||||
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
|
||||
- name: DEPENDENCY_SERVICE
|
||||
value: "default:etcd,docker-registry:localhost"
|
||||
- name: DEPENDENCY_JOBS
|
||||
value: "calico-image-repo-sync"
|
||||
- name: DEPENDENCY_DAEMONSET
|
||||
value: ""
|
||||
- name: DEPENDENCY_CONTAINER
|
||||
value: ""
|
||||
- name: DEPENDENCY_POD_JSON
|
||||
value: ""
|
||||
- name: DEPENDENCY_CUSTOM_RESOURCE
|
||||
value: "[{\"apiVersion\":\"argoproj.io/v1alpha1\",\"kind\":\"Workflow\",\"namespace\":\"default\",\"name\":\"wf-example\",\"fields\":[{\"key\":\"status.phase\",\"value\":\"Succeeded\"}]}]"
|
||||
command:
|
||||
- kubernetes-entrypoint
|
||||
volumeMounts:
|
||||
[]
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" -}}
|
||||
Values:
|
||||
pod:
|
||||
security_context:
|
||||
kubernetes_entrypoint:
|
||||
container:
|
||||
kubernetes_entrypoint:
|
||||
runAsUser: 65534
|
||||
readOnlyRootFilesystem: true
|
||||
allowPrivilegeEscalation: false
|
||||
{{- end -}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_init_container" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := index . 1 -}}
|
||||
{{- $mounts := index . 2 -}}
|
||||
|
||||
{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
|
||||
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
|
||||
{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
|
||||
{{- if eq $component "pod_dependency" -}}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
|
||||
{{- else -}}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- if eq $component "pod_dependency" -}}
|
||||
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if and ($envAll.Values.manifests.job_rabbit_init) (hasKey $envAll.Values.dependencies "dynamic") -}}
|
||||
{{- if $envAll.Values.dependencies.dynamic.job_rabbit_init -}}
|
||||
{{- if eq $component "pod_dependency" -}}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component) ) -}}
|
||||
{{- else -}}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) (index $envAll.Values.dependencies.dynamic.job_rabbit_init $component)) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
|
||||
{{- range $deps.custom_resources }}
|
||||
{{- $_ := set . "namespace" $envAll.Release.Namespace -}}
|
||||
{{- end -}}
|
||||
{{- $default_security_context := include "helm-toolkit.snippets.kubernetes_entrypoint_init_container._default_security_context" . | fromYaml }}
|
||||
{{- $patchedEnvAll := mergeOverwrite $default_security_context $envAll }}
|
||||
- name: init
|
||||
{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
|
||||
{{- dict "envAll" $patchedEnvAll "application" "kubernetes_entrypoint" "container" "kubernetes_entrypoint" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 2 }}
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
- name: NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: INTERFACE_NAME
|
||||
value: eth0
|
||||
- name: PATH
|
||||
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
|
||||
- name: DEPENDENCY_SERVICE
|
||||
value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
|
||||
{{- if $deps.jobs -}}
|
||||
{{- if kindIs "string" (index $deps.jobs 0) }}
|
||||
- name: DEPENDENCY_JOBS
|
||||
value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
|
||||
{{- else }}
|
||||
- name: DEPENDENCY_JOBS_JSON
|
||||
value: {{- toJson $deps.jobs | quote -}}
|
||||
{{- end -}}
|
||||
{{- end }}
|
||||
- name: DEPENDENCY_DAEMONSET
|
||||
value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.daemonset }}"
|
||||
- name: DEPENDENCY_CONTAINER
|
||||
value: "{{ include "helm-toolkit.utils.joinListWithComma" $deps.container }}"
|
||||
- name: DEPENDENCY_POD_JSON
|
||||
value: {{ if $deps.pod }}{{ toJson $deps.pod | quote }}{{ else }}""{{ end }}
|
||||
- name: DEPENDENCY_CUSTOM_RESOURCE
|
||||
value: {{ if $deps.custom_resources }}{{ toJson $deps.custom_resources | quote }}{{ else }}""{{ end }}
|
||||
command:
|
||||
- kubernetes-entrypoint
|
||||
volumeMounts:
|
||||
{{ toYaml $mounts | indent 4 }}
|
||||
{{- end -}}
|
@ -0,0 +1,20 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_kubectl_params" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $application := index . 1 -}}
|
||||
{{- $component := index . 2 -}}
|
||||
{{ print "-l application=" $application " -l component=" $component }}
|
||||
{{- end -}}
|
@ -0,0 +1,60 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders mandatory access control annotations for a list of containers
|
||||
driven by values.yaml. As of now, it can only generate an apparmor
|
||||
annotation, but in the future could generate others.
|
||||
values: |
|
||||
pod:
|
||||
mandatory_access_control:
|
||||
type: apparmor
|
||||
myPodName:
|
||||
myContainerName: localhost/myAppArmor
|
||||
mySecondContainerName: localhost/secondProfile # optional
|
||||
myThirdContainerName: localhost/thirdProfile # optional
|
||||
usage: |
|
||||
{{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" }}
|
||||
return: |
|
||||
container.apparmor.security.beta.kubernetes.io/myContainerName: localhost/myAppArmor
|
||||
container.apparmor.security.beta.kubernetes.io/mySecondContainerName: localhost/secondProfile
|
||||
container.apparmor.security.beta.kubernetes.io/myThirdContainerName: localhost/thirdProfile
|
||||
note: |
|
||||
The number of container underneath is a variable arguments. It loops through
|
||||
all the container names specified.
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $podName := index . "podName" -}}
|
||||
{{- $containerNames := index . "containerNames" -}}
|
||||
{{- if hasKey $envAll.Values.pod "mandatory_access_control" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control "type" -}}
|
||||
{{- $macType := $envAll.Values.pod.mandatory_access_control.type -}}
|
||||
{{- if $macType -}}
|
||||
{{- if eq $macType "apparmor" -}}
|
||||
{{- if hasKey $envAll.Values.pod.mandatory_access_control $podName -}}
|
||||
{{- range $name := $containerNames -}}
|
||||
{{- $apparmorProfile := index $envAll.Values.pod.mandatory_access_control $podName $name -}}
|
||||
{{- if $apparmorProfile }}
|
||||
container.apparmor.security.beta.kubernetes.io/{{ $name }}: {{ $apparmorProfile }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
@ -0,0 +1,51 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders a set of standardised labels
|
||||
values: |
|
||||
release_group: null
|
||||
pod:
|
||||
labels:
|
||||
default:
|
||||
label1.example.com: value
|
||||
bar:
|
||||
label2.example.com: bar
|
||||
usage: |
|
||||
{{ tuple . "foo" "bar" | include "helm-toolkit.snippets.kubernetes_metadata_labels" }}
|
||||
return: |
|
||||
release_group: RELEASE-NAME
|
||||
application: foo
|
||||
component: bar
|
||||
label1.example.com: value
|
||||
label2.example.com: bar
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_metadata_labels" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $application := index . 1 -}}
|
||||
{{- $component := index . 2 -}}
|
||||
release_group: {{ $envAll.Values.release_group | default $envAll.Release.Name }}
|
||||
application: {{ $application }}
|
||||
component: {{ $component }}
|
||||
{{- if ($envAll.Values.pod).labels }}
|
||||
{{- if hasKey $envAll.Values.pod.labels $component }}
|
||||
{{ index $envAll.Values.pod "labels" $component | toYaml }}
|
||||
{{- end -}}
|
||||
{{- if hasKey $envAll.Values.pod.labels "default" }}
|
||||
{{ $envAll.Values.pod.labels.default | toYaml }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,89 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders kubernetes anti affinity rules, this function supports both hard
|
||||
'requiredDuringSchedulingIgnoredDuringExecution' and soft
|
||||
'preferredDuringSchedulingIgnoredDuringExecution' types.
|
||||
values: |
|
||||
pod:
|
||||
affinity:
|
||||
anti:
|
||||
topologyKey:
|
||||
default: kubernetes.io/hostname
|
||||
type:
|
||||
default: requiredDuringSchedulingIgnoredDuringExecution
|
||||
weight:
|
||||
default: 10
|
||||
usage: |
|
||||
{{ tuple . "appliction_x" "component_y" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" }}
|
||||
return: |
|
||||
podAntiAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
- key: release_group
|
||||
operator: In
|
||||
values:
|
||||
- RELEASE-NAME
|
||||
- key: application
|
||||
operator: In
|
||||
values:
|
||||
- appliction_x
|
||||
- key: component
|
||||
operator: In
|
||||
values:
|
||||
- component_y
|
||||
topologyKey: kubernetes.io/hostname
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $application := index . "application" -}}
|
||||
{{- $component := index . "component" -}}
|
||||
{{- $expressionRelease := dict "key" "release_group" "operator" "In" "values" ( list ( $envAll.Values.release_group | default $envAll.Release.Name ) ) -}}
|
||||
{{- $expressionApplication := dict "key" "application" "operator" "In" "values" ( list $application ) -}}
|
||||
{{- $expressionComponent := dict "key" "component" "operator" "In" "values" ( list $component ) -}}
|
||||
{{- list $expressionRelease $expressionApplication $expressionComponent | toYaml }}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_anti_affinity" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $application := index . 1 -}}
|
||||
{{- $component := index . 2 -}}
|
||||
{{- $antiAffinityType := index $envAll.Values.pod.affinity.anti.type $component | default $envAll.Values.pod.affinity.anti.type.default }}
|
||||
{{- $antiAffinityKey := index $envAll.Values.pod.affinity.anti.topologyKey $component | default $envAll.Values.pod.affinity.anti.topologyKey.default }}
|
||||
podAntiAffinity:
|
||||
{{- $matchExpressions := include "helm-toolkit.snippets.kubernetes_pod_anti_affinity._match_expressions" ( dict "envAll" $envAll "application" $application "component" $component ) -}}
|
||||
{{- if eq $antiAffinityType "preferredDuringSchedulingIgnoredDuringExecution" }}
|
||||
{{ $antiAffinityType }}:
|
||||
- podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
{{ $matchExpressions | indent 10 }}
|
||||
topologyKey: {{ $antiAffinityKey }}
|
||||
{{- if $envAll.Values.pod.affinity.anti.weight }}
|
||||
weight: {{ index $envAll.Values.pod.affinity.anti.weight $component | default $envAll.Values.pod.affinity.anti.weight.default }}
|
||||
{{- else }}
|
||||
weight: 10
|
||||
{{- end -}}
|
||||
{{- else if eq $antiAffinityType "requiredDuringSchedulingIgnoredDuringExecution" }}
|
||||
{{ $antiAffinityType }}:
|
||||
- labelSelector:
|
||||
matchExpressions:
|
||||
{{ $matchExpressions | indent 8 }}
|
||||
topologyKey: {{ $antiAffinityKey }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,45 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders image pull secrets for a pod
|
||||
values: |
|
||||
pod:
|
||||
image_pull_secrets:
|
||||
default:
|
||||
- name: some-pull-secret
|
||||
bar:
|
||||
- name: another-pull-secret
|
||||
usage: |
|
||||
{{ tuple . "bar" | include "helm-toolkit.snippets.kubernetes_image_pull_secrets" }}
|
||||
return: |
|
||||
imagePullSecrets:
|
||||
- name: some-pull-secret
|
||||
- name: another-pull-secret
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_image_pull_secrets" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $application := index . 1 -}}
|
||||
{{- if ($envAll.Values.pod).image_pull_secrets }}
|
||||
imagePullSecrets:
|
||||
{{- if hasKey $envAll.Values.pod.image_pull_secrets $application }}
|
||||
{{ index $envAll.Values.pod "image_pull_secrets" $application | toYaml | indent 2 }}
|
||||
{{- end -}}
|
||||
{{- if hasKey $envAll.Values.pod.image_pull_secrets "default" }}
|
||||
{{ $envAll.Values.pod.image_pull_secrets.default | toYaml | indent 2 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,69 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $deps := index . 1 -}}
|
||||
{{- $saName := index . 2 | replace "_" "-" }}
|
||||
{{- $saNamespace := index . 3 -}}
|
||||
{{- $releaseName := $envAll.Release.Name }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $releaseName }}-{{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- extensions
|
||||
- batch
|
||||
- apps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
resources:
|
||||
{{- range $k, $v := $deps -}}
|
||||
{{ if eq $v "daemonsets" }}
|
||||
- daemonsets
|
||||
{{- end -}}
|
||||
{{ if eq $v "jobs" }}
|
||||
- jobs
|
||||
{{- end -}}
|
||||
{{ if or (eq $v "pods") (eq $v "daemonsets") (eq $v "jobs") }}
|
||||
- pods
|
||||
{{- end -}}
|
||||
{{ if eq $v "services" }}
|
||||
- services
|
||||
- endpoints
|
||||
{{- end -}}
|
||||
{{ if eq $v "secrets" }}
|
||||
- secrets
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,75 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := index . 1 -}}
|
||||
{{- $saName := index . 2 -}}
|
||||
{{- $saNamespace := $envAll.Release.Namespace }}
|
||||
{{- $randomKey := randAlphaNum 32 }}
|
||||
{{- $allNamespace := dict $randomKey "" }}
|
||||
|
||||
{{- $_ := set $envAll.Values "__kubernetes_entrypoint_init_container" dict -}}
|
||||
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" dict -}}
|
||||
{{- if and ($envAll.Values.images.local_registry.active) (ne $component "image_repo_sync") -}}
|
||||
{{- if eq $component "pod_dependency" -}}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.pod_dependency ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
|
||||
{{- else -}}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" ( tuple $envAll.Values.__kubernetes_entrypoint_init_container.deps ( index $envAll.Values.dependencies.static $component ) $envAll.Values.dependencies.dynamic.common.local_image_registry ) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- if eq $component "pod_dependency" -}}
|
||||
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.pod_dependency ) -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set $envAll.Values.__kubernetes_entrypoint_init_container "deps" ( index $envAll.Values.dependencies.static $component ) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- $deps := $envAll.Values.__kubernetes_entrypoint_init_container.deps }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
{{- if $envAll.Values.manifests.secret_registry }}
|
||||
{{- if $envAll.Values.endpoints.oci_image_registry.auth.enabled }}
|
||||
imagePullSecrets:
|
||||
- name: {{ index $envAll.Values.secrets.oci_image_registry $envAll.Chart.Name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- range $k, $v := $deps -}}
|
||||
{{- if eq $k "services" }}
|
||||
{{- range $serv := $v }}
|
||||
{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
|
||||
{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
|
||||
{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
|
||||
{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- else if and (eq $k "jobs") $v }}
|
||||
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
|
||||
{{- else if and (eq $k "daemonset") $v }}
|
||||
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
|
||||
{{- else if and (eq $k "pod") $v }}
|
||||
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "pods," ((index $allNamespace $saNamespace) | default "")) }}
|
||||
{{- else if and (eq $k "secret") $v }}
|
||||
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "secrets," ((index $allNamespace $saNamespace) | default "")) }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- $_ := unset $allNamespace $randomKey }}
|
||||
{{- range $ns, $vv := $allNamespace }}
|
||||
{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
|
||||
{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,67 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders securityContext for a Kubernetes pod.
|
||||
For pod level, seurity context see here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.13/#podsecuritycontext-v1-core
|
||||
examples:
|
||||
- values: |
|
||||
pod:
|
||||
# NOTE: The 'user' key is deprecated, and will be removed shortly.
|
||||
user:
|
||||
myApp:
|
||||
uid: 34356
|
||||
security_context:
|
||||
myApp:
|
||||
pod:
|
||||
runAsNonRoot: true
|
||||
usage: |
|
||||
{{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
|
||||
return: |
|
||||
securityContext:
|
||||
runAsUser: 34356
|
||||
runAsNonRoot: true
|
||||
- values: |
|
||||
pod:
|
||||
security_context:
|
||||
myApp:
|
||||
pod:
|
||||
runAsUser: 34356
|
||||
runAsNonRoot: true
|
||||
usage: |
|
||||
{{ dict "envAll" . "application" "myApp" | include "helm-toolkit.snippets.kubernetes_pod_security_context" }}
|
||||
return: |
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 34356
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_security_context" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $application := index . "application" -}}
|
||||
securityContext:
|
||||
{{- if hasKey $envAll.Values.pod "user" }}
|
||||
{{- if hasKey $envAll.Values.pod.user $application }}
|
||||
{{- if hasKey ( index $envAll.Values.pod.user $application ) "uid" }}
|
||||
runAsUser: {{ index $envAll.Values.pod.user $application "uid" }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- if hasKey $envAll.Values.pod "security_context" }}
|
||||
{{- if hasKey ( index $envAll.Values.pod.security_context ) $application }}
|
||||
{{ toYaml ( index $envAll.Values.pod.security_context $application "pod" ) | indent 2 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,55 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders kubernetes liveness and readiness probes for containers
|
||||
values: |
|
||||
pod:
|
||||
probes:
|
||||
api:
|
||||
default:
|
||||
readiness:
|
||||
enabled: true
|
||||
params:
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
usage: |
|
||||
{{- define "probeTemplate" }}
|
||||
httpGet:
|
||||
path: /status
|
||||
port: 9090
|
||||
{{- end }}
|
||||
{{ dict "envAll" . "component" "api" "container" "default" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" }}
|
||||
return: |
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /status
|
||||
port: 9090
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 30
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_probe" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $component := index . "component" -}}
|
||||
{{- $container := index . "container" -}}
|
||||
{{- $type := index . "type" -}}
|
||||
{{- $probeTemplate := index . "probeTemplate" -}}
|
||||
{{- $probeOpts := index $envAll.Values.pod.probes $component $container $type -}}
|
||||
{{- if $probeOpts.enabled -}}
|
||||
{{- $probeOverides := index $probeOpts "params" | default dict -}}
|
||||
{{ dict ( printf "%sProbe" $type ) (mergeOverwrite $probeTemplate $probeOverides ) | toYaml }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,53 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Note: This function is deprecated and will be removed in the future.
|
||||
|
||||
abstract: |
|
||||
Renders kubernetes resource limits for pods
|
||||
values: |
|
||||
pod:
|
||||
resources:
|
||||
enabled: true
|
||||
api:
|
||||
requests:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
limits:
|
||||
memory: "1024Mi"
|
||||
cpu: "2000m"
|
||||
hugepages-1Gi: "1Gi"
|
||||
|
||||
usage: |
|
||||
{{ include "helm-toolkit.snippets.kubernetes_resources" ( tuple . .Values.pod.resources.api ) }}
|
||||
return: |
|
||||
resources:
|
||||
limits:
|
||||
cpu: "2000m"
|
||||
memory: "1024Mi"
|
||||
hugepages-1Gi: "1Gi"
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "128Mi
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_resources" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := index . 1 -}}
|
||||
{{- if $envAll.Values.pod.resources.enabled -}}
|
||||
resources:
|
||||
{{ toYaml $component | trim | indent 2 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,47 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders seccomp annotations for a list of containers driven by values.yaml.
|
||||
values: |
|
||||
pod:
|
||||
seccomp:
|
||||
myPodName:
|
||||
myContainerName: localhost/mySeccomp
|
||||
mySecondContainerName: localhost/secondProfile # optional
|
||||
myThirdContainerName: localhost/thirdProfile # optional
|
||||
usage: |
|
||||
{{ dict "envAll" . "podName" "myPodName" "containerNames" (list "myContainerName" "mySecondContainerName" "myThirdContainerName") | include "helm-toolkit.snippets.kubernetes_seccomp_annotation" }}
|
||||
return: |
|
||||
container.seccomp.security.alpha.kubernetes.io/myContainerName: localhost/mySeccomp
|
||||
container.seccomp.security.alpha.kubernetes.io/mySecondContainerName: localhost/secondProfile
|
||||
container.seccomp.security.alpha.kubernetes.io/myThirdContainerName: localhost/thirdProfile
|
||||
note: |
|
||||
The number of container underneath is a variable arguments. It loops through
|
||||
all the container names specified.
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.kubernetes_seccomp_annotation" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $podName := index . "podName" -}}
|
||||
{{- $containerNames := index . "containerNames" -}}
|
||||
{{- if hasKey (index $envAll.Values.pod "seccomp") $podName -}}
|
||||
{{- range $name := $containerNames -}}
|
||||
{{- $seccompProfile := index $envAll.Values.pod.seccomp $podName $name -}}
|
||||
{{- if $seccompProfile }}
|
||||
container.seccomp.security.alpha.kubernetes.io/{{ $name }}: {{ $seccompProfile }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,45 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders kubernetes tolerations for pods
|
||||
values: |
|
||||
pod:
|
||||
tolerations:
|
||||
api:
|
||||
enabled: true
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/node
|
||||
operator: Exists
|
||||
|
||||
usage: |
|
||||
{{ include "helm-toolkit.snippets.kubernetes_tolerations" ( tuple . .Values.pod.tolerations.api ) }}
|
||||
return: |
|
||||
tolerations:
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- key: node-role.kubernetes.io/node
|
||||
operator: Exists
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_tolerations" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := index . 1 -}}
|
||||
{{- $pod := index $envAll.Values.pod.tolerations $component }}
|
||||
tolerations:
|
||||
{{ toYaml $pod.tolerations }}
|
||||
{{- end -}}
|
@ -0,0 +1,33 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_upgrades_daemonset" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := index . 1 -}}
|
||||
{{- $upgradeMap := index $envAll.Values.pod.lifecycle.upgrades.daemonsets $component -}}
|
||||
{{- $pod_replacement_strategy := $envAll.Values.pod.lifecycle.upgrades.daemonsets.pod_replacement_strategy -}}
|
||||
{{- with $upgradeMap -}}
|
||||
{{- if .enabled }}
|
||||
minReadySeconds: {{ .min_ready_seconds }}
|
||||
updateStrategy:
|
||||
type: {{ $pod_replacement_strategy }}
|
||||
{{- if $pod_replacement_strategy }}
|
||||
{{- if eq $pod_replacement_strategy "RollingUpdate" }}
|
||||
rollingUpdate:
|
||||
maxUnavailable: {{ .max_unavailable }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,27 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_upgrades_deployment" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- with $envAll.Values.pod.lifecycle.upgrades.deployments -}}
|
||||
revisionHistoryLimit: {{ .revision_history }}
|
||||
strategy:
|
||||
type: {{ .pod_replacement_strategy }}
|
||||
{{- if eq .pod_replacement_strategy "RollingUpdate" }}
|
||||
rollingUpdate:
|
||||
maxUnavailable: {{ .rolling_update.max_unavailable }}
|
||||
maxSurge: {{ .rolling_update.max_surge }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,51 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders upgradeStrategy configuration for Kubernetes statefulsets.
|
||||
See: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets
|
||||
Types:
|
||||
- RollingUpdate (default)
|
||||
- OnDelete
|
||||
Partitions:
|
||||
- Stage updates to a statefulset by keeping pods at current version while
|
||||
allowing mutations to statefulset's .spec.template
|
||||
values: |
|
||||
pod:
|
||||
lifecycle:
|
||||
upgrades:
|
||||
statefulsets:
|
||||
pod_replacement_strategy: RollingUpdate
|
||||
partition: 2
|
||||
usage: |
|
||||
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_statefulset" | indent 2 }}
|
||||
return: |
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
rollingUpdate:
|
||||
partition: 2
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_upgrades_statefulset" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- with $envAll.Values.pod.lifecycle.upgrades.statefulsets -}}
|
||||
updateStrategy:
|
||||
type: {{ .pod_replacement_strategy }}
|
||||
{{ if .partition -}}
|
||||
rollingUpdate:
|
||||
partition: {{ .partition }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,68 @@
|
||||
{{- define "helm-toolkit.snippets.mon_host_from_k8s_ep" -}}
|
||||
{{/*
|
||||
|
||||
Inserts a bash function definition mon_host_from_k8s_ep() which can be used
|
||||
to construct a mon_hosts value from the given namespaced endpoint.
|
||||
|
||||
Usage (e.g. in _script.sh.tpl):
|
||||
#!/bin/bash
|
||||
|
||||
: "${NS:=ceph}"
|
||||
: "${EP:=ceph-mon-discovery}"
|
||||
|
||||
{{ include "helm-toolkit.snippets.mon_host_from_k8s_ep" . }}
|
||||
|
||||
MON_HOST=$(mon_host_from_k8s_ep "$NS" "$EP")
|
||||
|
||||
if [ -z "$MON_HOST" ]; then
|
||||
# deal with failure
|
||||
else
|
||||
sed -i -e "s/^mon_host = /mon_host = $MON_HOST/" /etc/ceph/ceph.conf
|
||||
fi
|
||||
*/}}
|
||||
{{`
|
||||
# Construct a mon_hosts value from the given namespaced endpoint
|
||||
# IP x.x.x.x with port p named "mon-msgr2" will appear as [v2:x.x.x.x/p/0]
|
||||
# IP x.x.x.x with port q named "mon" will appear as [v1:x.x.x.x/q/0]
|
||||
# IP x.x.x.x with ports p and q will appear as [v2:x.x.x.x/p/0,v1:x.x.x.x/q/0]
|
||||
# The entries for all IPs will be joined with commas
|
||||
mon_host_from_k8s_ep() {
|
||||
local ns=$1
|
||||
local ep=$2
|
||||
|
||||
if [ -z "$ns" ] || [ -z "$ep" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
# We don't want shell expansion for the go-template expression
|
||||
# shellcheck disable=SC2016
|
||||
kubectl get endpoints -n "$ns" "$ep" -o go-template='
|
||||
{{- $sep := "" }}
|
||||
{{- range $_,$s := .subsets }}
|
||||
{{- $v2port := 0 }}
|
||||
{{- $v1port := 0 }}
|
||||
{{- range $_,$port := index $s "ports" }}
|
||||
{{- if (eq $port.name "mon-msgr2") }}
|
||||
{{- $v2port = $port.port }}
|
||||
{{- else if (eq $port.name "mon") }}
|
||||
{{- $v1port = $port.port }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range $_,$address := index $s "addresses" }}
|
||||
{{- $v2endpoint := printf "v2:%s:%d/0" $address.ip $v2port }}
|
||||
{{- $v1endpoint := printf "v1:%s:%d/0" $address.ip $v1port }}
|
||||
{{- if (and $v2port $v1port) }}
|
||||
{{- printf "%s[%s,%s]" $sep $v2endpoint $v1endpoint }}
|
||||
{{- $sep = "," }}
|
||||
{{- else if $v2port }}
|
||||
{{- printf "%s[%s]" $sep $v2endpoint }}
|
||||
{{- $sep = "," }}
|
||||
{{- else if $v1port }}
|
||||
{{- printf "%s[%s]" $sep $v1endpoint }}
|
||||
{{- $sep = "," }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}'
|
||||
}
|
||||
`}}
|
||||
{{- end -}}
|
@ -0,0 +1,33 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# Appends annotations for configuring prometheus scrape jobs via pod
|
||||
# annotations. The required annotations are:
|
||||
# * `prometheus.io/scrape`: Only scrape pods that have a value of `true`
|
||||
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
|
||||
# * `prometheus.io/port`: Scrape the pod on the indicated port instead of the
|
||||
# pod's declared ports (default is a port-free target if none are declared).
|
||||
|
||||
{{- define "helm-toolkit.snippets.prometheus_pod_annotations" -}}
|
||||
{{- $config := index . 0 -}}
|
||||
{{- if $config.scrape }}
|
||||
prometheus.io/scrape: {{ $config.scrape | quote }}
|
||||
{{- end }}
|
||||
{{- if $config.path }}
|
||||
prometheus.io/path: {{ $config.path | quote }}
|
||||
{{- end }}
|
||||
{{- if $config.port }}
|
||||
prometheus.io/port: {{ $config.port | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,35 @@
|
||||
{{/*
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
# Appends annotations for configuring prometheus scrape endpoints via
|
||||
# annotations. The required annotations are:
|
||||
# * `prometheus.io/scrape`: Only scrape services that have a value of `true`
|
||||
# * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need
|
||||
# to set this to `https` & most likely set the `tls_config` of the scrape config.
|
||||
# * `prometheus.io/path`: If the metrics path is not `/metrics` override this.
|
||||
# * `prometheus.io/port`: If the metrics are exposed on a different port to the
|
||||
# service then set this appropriately.
|
||||
|
||||
{{- define "helm-toolkit.snippets.prometheus_service_annotations" -}}
|
||||
{{- $config := index . 0 -}}
|
||||
{{- if $config.scrape }}
|
||||
prometheus.io/scrape: {{ $config.scrape | quote }}
|
||||
{{- end }}
|
||||
{{- if $config.scheme }}
|
||||
prometheus.io/scheme: {{ $config.scheme | quote }}
|
||||
{{- end }}
|
||||
{{- if $config.path }}
|
||||
prometheus.io/path: {{ $config.path | quote }}
|
||||
{{- end }}
|
||||
{{- if $config.port }}
|
||||
prometheus.io/port: {{ $config.port | quote }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,29 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Reneders an attonation key and value for a release
|
||||
values: |
|
||||
release_uuid: null
|
||||
usage: |
|
||||
{{ tuple . | include "helm-toolkit.snippets.release_uuid" }}
|
||||
return: |
|
||||
"openstackhelm.openstack.org/release_uuid": ""
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.release_uuid" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
"openstackhelm.openstack.org/release_uuid": {{ $envAll.Values.release_uuid | default "" | quote }}
|
||||
{{- end -}}
|
@ -0,0 +1,32 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.rgw_s3_admin_env_vars" }}
|
||||
{{- $s3AdminSecret := .s3AdminSecret }}
|
||||
- name: S3_ADMIN_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3AdminSecret }}
|
||||
key: S3_ADMIN_USERNAME
|
||||
- name: S3_ADMIN_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3AdminSecret }}
|
||||
key: S3_ADMIN_ACCESS_KEY
|
||||
- name: S3_ADMIN_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3AdminSecret }}
|
||||
key: S3_ADMIN_SECRET_KEY
|
||||
{{- end }}
|
@ -0,0 +1,29 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.rgw_s3_secret_creds" }}
|
||||
{{- range $client, $config := .Values.storage.s3.clients -}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- range $key, $value := $config.auth }}
|
||||
{{ $key | upper }}: {{ $value | toString | b64enc}}
|
||||
{{- end }}
|
||||
|
||||
{{ end }}
|
||||
{{- end }}
|
@ -0,0 +1,34 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.rgw_s3_user_env_vars" }}
|
||||
{{- range $client, $user := .Values.storage.s3.clients }}
|
||||
{{- $s3secret := printf "%s-s3-user-secret" ( $client | replace "_" "-" | lower ) }}
|
||||
- name: {{ printf "%s_S3_USERNAME" ($client | replace "-" "_" | upper) }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3secret }}
|
||||
key: USERNAME
|
||||
- name: {{ printf "%s_S3_ACCESS_KEY" ($client | replace "-" "_" | upper) }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3secret }}
|
||||
key: ACCESS_KEY
|
||||
- name: {{ printf "%s_S3_SECRET_KEY" ($client | replace "-" "_" | upper) }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ $s3secret }}
|
||||
key: SECRET_KEY
|
||||
{{- end }}
|
||||
{{- end }}
|
47
charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl
Normal file
47
charts/deps/helm-toolkit/templates/snippets/_tls_volume.tpl
Normal file
@ -0,0 +1,47 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders a secret volume for tls.
|
||||
|
||||
Dictionary Parameters:
|
||||
enabled: boolean check if you want to conditional disable this snippet (optional)
|
||||
name: name of the volume (required)
|
||||
secretName: name of a kuberentes/tls secret, if not specified, use the volume name (optional)
|
||||
|
||||
values: |
|
||||
manifests:
|
||||
certificates: true
|
||||
|
||||
usage: |
|
||||
{{- $opts := dict "enabled" "true" "name" "glance-tls-api" -}}
|
||||
{{- $opts | include "helm-toolkit.snippets.tls_volume" -}}
|
||||
|
||||
return: |
|
||||
- name: glance-tls-api
|
||||
secret:
|
||||
secretName: glance-tls-api
|
||||
defaultMode: 292
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.tls_volume" }}
|
||||
{{- $enabled := index . "enabled" -}}
|
||||
{{- $name := index . "name" -}}
|
||||
{{- $secretName := index . "secretName" | default $name -}}
|
||||
{{- if and $enabled (ne $name "") }}
|
||||
- name: {{ $name }}
|
||||
secret:
|
||||
secretName: {{ $secretName }}
|
||||
defaultMode: 292
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,82 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders a volume mount for TLS key, cert and CA.
|
||||
|
||||
Dictionary Parameters:
|
||||
enabled: boolean check if you want to conditional disable this snippet (optional)
|
||||
name: name that of the volume and should match the volume name (required)
|
||||
path: path to place tls.crt tls.key ca.crt, do not suffix with '/' (required)
|
||||
certs: a tuple containing a nonempty subset of {tls.crt, tls.key, ca.crt}.
|
||||
the default is the full set. (optional)
|
||||
|
||||
values: |
|
||||
manifests:
|
||||
certificates: true
|
||||
|
||||
usage: |
|
||||
{{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "path" "/etc/glance/certs" -}}
|
||||
{{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
|
||||
|
||||
return: |
|
||||
- name: glance-tls-api
|
||||
mountPath: /etc/glance/certs/tls.crt
|
||||
subPath: tls.crt
|
||||
readOnly: true
|
||||
- name: glance-tls-api
|
||||
mountPath: /etc/glance/certs/tls.key
|
||||
subPath: tls.key
|
||||
readOnly: true
|
||||
- name: glance-tls-api
|
||||
mountPath: /etc/glance/certs/ca.crt
|
||||
subPath: ca.crt
|
||||
readOnly: true
|
||||
|
||||
abstract: |
|
||||
This mounts a specific issuing CA only for service validation
|
||||
|
||||
usage: |
|
||||
{{- $opts := dict "enabled" .Values.manifests.certificates "name" "glance-tls-api" "ca" true -}}
|
||||
{{- $opts | include "helm-toolkit.snippets.tls_volume_mount" -}}
|
||||
|
||||
return: |
|
||||
- name: glance-tls-api
|
||||
mountPath: /etc/ssl/certs/openstack-helm.crt
|
||||
subPath: ca.crt
|
||||
readOnly: true
|
||||
*/}}
|
||||
{{- define "helm-toolkit.snippets.tls_volume_mount" }}
|
||||
{{- $enabled := index . "enabled" -}}
|
||||
{{- $name := index . "name" -}}
|
||||
{{- $path := index . "path" | default "" -}}
|
||||
{{- $certs := index . "certs" | default ( tuple "tls.crt" "tls.key" "ca.crt" ) }}
|
||||
{{- if $enabled }}
|
||||
{{- if and (eq $path "") (ne $name "") }}
|
||||
- name: {{ $name }}
|
||||
mountPath: "/etc/ssl/certs/openstack-helm.crt"
|
||||
subPath: ca.crt
|
||||
readOnly: true
|
||||
{{- else }}
|
||||
{{- if ne $name "" }}
|
||||
{{- range $key, $value := $certs }}
|
||||
- name: {{ $name }}
|
||||
mountPath: {{ printf "%s/%s" $path $value }}
|
||||
subPath: {{ $value }}
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,87 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Renders out configuration sections into a format suitable for incorporation
|
||||
into a config-map. Allowing various forms of input to be rendered out as
|
||||
appropriate.
|
||||
values: |
|
||||
conf:
|
||||
inputs:
|
||||
- foo
|
||||
- bar
|
||||
some:
|
||||
config_to_render: |
|
||||
#We can use all of gotpl here: eg macros, ranges etc.
|
||||
{{ include "helm-toolkit.utils.joinListWithComma" .Values.conf.inputs }}
|
||||
config_to_complete:
|
||||
#here we can fill out params, but things need to be valid yaml as input
|
||||
'{{ .Release.Name }}': '{{ printf "%s-%s" .Release.Namespace "namespace" }}'
|
||||
static_config:
|
||||
#this is just passed though as yaml to the configmap
|
||||
foo: bar
|
||||
usage: |
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: application-etc
|
||||
data:
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_render "key" "config_to_render.conf") | indent 2 }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.config_to_complete "key" "config_to_complete.yaml") | indent 2 }}
|
||||
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.some.static_config "key" "static_config.yaml") | indent 2 }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: application-etc
|
||||
data:
|
||||
config_to_render.conf: |
|
||||
#We can use all of gotpl here: eg macros, ranges etc.
|
||||
foo,bar
|
||||
|
||||
config_to_complete.yaml: |
|
||||
'RELEASE-NAME': 'default-namespace'
|
||||
|
||||
static_config.yaml: |
|
||||
foo: bar
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.values_template_renderer" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $template := index . "template" -}}
|
||||
{{- $key := index . "key" -}}
|
||||
{{- $format := index . "format" | default "configMap" -}}
|
||||
{{- with $envAll -}}
|
||||
{{- $templateRendered := tpl ( $template | toYaml ) . }}
|
||||
{{- if eq $format "Secret" }}
|
||||
{{- if hasPrefix "|\n" $templateRendered }}
|
||||
{{ $key }}: {{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | b64enc }}
|
||||
{{- else }}
|
||||
{{ $key }}: {{ $templateRendered | b64enc }}
|
||||
{{- end -}}
|
||||
{{- else }}
|
||||
{{- if hasPrefix "|\n" $templateRendered }}
|
||||
{{ $key }}: |
|
||||
{{ regexReplaceAllLiteral "\n " ( $templateRendered | trimPrefix "|\n" | trimPrefix " " ) "\n" | indent 2 }}
|
||||
{{- else }}
|
||||
{{ $key }}: |
|
||||
{{ $templateRendered | indent 2 }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,94 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Produces a certificate from a certificate authority. If the "encode" parameter
|
||||
is true, base64 encode the values for inclusion in a Kubernetes secret.
|
||||
values: |
|
||||
test:
|
||||
hosts:
|
||||
names:
|
||||
- barbican.openstackhelm.example
|
||||
- barbican.openstack.svc.cluster.local
|
||||
ips:
|
||||
- 127.0.0.1
|
||||
- 192.168.0.1
|
||||
life: 3
|
||||
# Use ca.crt and ca.key to build a customized ca, if they are provided.
|
||||
# Use hosts.names[0] and life to auto-generate a ca, if ca is not provided.
|
||||
ca:
|
||||
crt: |
|
||||
<CA CRT>
|
||||
key: |
|
||||
<CA PRIVATE KEY>
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.tls_generate_certs" (dict "params" .Values.test) }}
|
||||
return: |
|
||||
ca: |
|
||||
<CA CRT>
|
||||
crt: |
|
||||
<CRT>
|
||||
exp: 2018-09-01T10:56:07.895392915-00:00
|
||||
key: |
|
||||
<CRT PRIVATE KEY>
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.tls_generate_certs" -}}
|
||||
{{- $params := index . "params" -}}
|
||||
{{- $encode := index . "encode" | default false -}}
|
||||
{{- $local := dict -}}
|
||||
|
||||
{{- $_hosts := $params.hosts.names | default list }}
|
||||
{{- if kindIs "string" $params.hosts.names }}
|
||||
{{- $_ := set $local "certHosts" (list $params.hosts.names) }}
|
||||
{{- else }}
|
||||
{{- $_ := set $local "certHosts" $_hosts }}
|
||||
{{- end }}
|
||||
|
||||
{{- $_ips := $params.hosts.ips | default list }}
|
||||
{{- if kindIs "string" $params.hosts.ips }}
|
||||
{{- $_ := set $local "certIps" (list $params.hosts.ips) }}
|
||||
{{- else }}
|
||||
{{- $_ := set $local "certIps" $_ips }}
|
||||
{{- end }}
|
||||
|
||||
{{- if hasKey $params "ca" }}
|
||||
{{- if and (hasKey $params.ca "crt") (hasKey $params.ca "key") }}
|
||||
{{- $ca := buildCustomCert ($params.ca.crt | b64enc ) ($params.ca.key | b64enc ) }}
|
||||
{{- $_ := set $local "ca" $ca }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
{{- $ca := genCA (first $local.certHosts) (int $params.life) }}
|
||||
{{- $_ := set $local "ca" $ca }}
|
||||
{{- end }}
|
||||
|
||||
{{- $expDate := date_in_zone "2006-01-02T15:04:05Z07:00" ( date_modify (printf "+%sh" (mul $params.life 24 |toString)) now ) "UTC" }}
|
||||
{{- $rawCert := genSignedCert (first $local.certHosts) ($local.certIps) ($local.certHosts) (int $params.life) $local.ca }}
|
||||
{{- $certificate := dict -}}
|
||||
{{- if $encode -}}
|
||||
{{- $_ := b64enc $rawCert.Cert | set $certificate "crt" -}}
|
||||
{{- $_ := b64enc $rawCert.Key | set $certificate "key" -}}
|
||||
{{- $_ := b64enc $local.ca.Cert | set $certificate "ca" -}}
|
||||
{{- $_ := b64enc $local.ca.Key | set $certificate "caKey" -}}
|
||||
{{- $_ := b64enc $expDate | set $certificate "exp" -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set $certificate "crt" $rawCert.Cert -}}
|
||||
{{- $_ := set $certificate "key" $rawCert.Key -}}
|
||||
{{- $_ := set $certificate "ca" $local.ca.Cert -}}
|
||||
{{- $_ := set $certificate "caKey" $local.ca.Key -}}
|
||||
{{- $_ := set $certificate "exp" $expDate -}}
|
||||
{{- end -}}
|
||||
{{- $certificate | toYaml }}
|
||||
{{- end -}}
|
@ -0,0 +1,46 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns a comma separated list of namespace:service pairs.
|
||||
values: |
|
||||
dependencies:
|
||||
static:
|
||||
api:
|
||||
services:
|
||||
- endpoint: internal
|
||||
service: oslo_cache
|
||||
- endpoint: internal
|
||||
service: oslo_db
|
||||
endpoints:
|
||||
oslo_db:
|
||||
namespace: foo
|
||||
hosts:
|
||||
default: mariadb
|
||||
oslo_cache:
|
||||
namespace: bar
|
||||
hosts:
|
||||
default: memcache
|
||||
usage: |
|
||||
{{ tuple .Values.dependencies.static.api.services . | include "helm-toolkit.utils.comma_joined_service_list" }}
|
||||
return: |
|
||||
bar:memcache,foo:mariadb
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
|
||||
{{- $deps := index . 0 -}}
|
||||
{{- $envAll := index . 1 -}}
|
||||
{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,30 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.configmap_templater" }}
|
||||
{{- $keyRoot := index . 0 -}}
|
||||
{{- $configTemplate := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{ if $keyRoot.override -}}
|
||||
{{ $keyRoot.override | indent 4 }}
|
||||
{{- else -}}
|
||||
{{- if $keyRoot.prefix -}}
|
||||
{{ $keyRoot.prefix | indent 4 }}
|
||||
{{- end }}
|
||||
{{ tuple $configTemplate $context | include "helm-toolkit.utils.template" | indent 4 }}
|
||||
{{- end }}
|
||||
{{- if $keyRoot.append -}}
|
||||
{{ $keyRoot.append | indent 4 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
@ -0,0 +1,269 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.daemonset_overrides" }}
|
||||
{{- $daemonset := index . 0 }}
|
||||
{{- $daemonset_yaml := index . 1 }}
|
||||
{{- $configmap_include := index . 2 }}
|
||||
{{- $configmap_name := index . 3 }}
|
||||
{{- $context := index . 4 }}
|
||||
{{- $_ := unset $context ".Files" }}
|
||||
{{- $daemonset_root_name := printf (print $context.Chart.Name "_" $daemonset) }}
|
||||
{{- $_ := set $context.Values "__daemonset_list" list }}
|
||||
{{- $_ := set $context.Values "__default" dict }}
|
||||
{{- if hasKey $context.Values.conf "overrides" }}
|
||||
{{- range $key, $val := $context.Values.conf.overrides }}
|
||||
|
||||
{{- if eq $key $daemonset_root_name }}
|
||||
{{- range $type, $type_data := . }}
|
||||
|
||||
{{- if eq $type "hosts" }}
|
||||
{{- range $host_data := . }}
|
||||
{{/* dictionary that will contain all info needed to generate this
|
||||
iteration of the daemonset */}}
|
||||
{{- $current_dict := dict }}
|
||||
|
||||
{{/* set daemonset name */}}
|
||||
{{/* Note: long hostnames can cause the 63 char name limit to be
|
||||
exceeded. Truncate the hostname if hostname > 20 char */}}
|
||||
{{- if gt (len $host_data.name) 20 }}
|
||||
{{- $_ := set $current_dict "name" (substr 0 20 $host_data.name) }}
|
||||
{{- else }}
|
||||
{{- $_ := set $current_dict "name" $host_data.name }}
|
||||
{{- end }}
|
||||
|
||||
{{/* apply overrides */}}
|
||||
{{- $override_conf_copy := $host_data.conf }}
|
||||
{{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
|
||||
{{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
|
||||
{{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
|
||||
{{- $root_conf_copy2 := dict "conf" $merged_dict }}
|
||||
{{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
|
||||
{{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
|
||||
{{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
|
||||
{{- $_ := set $current_dict "nodeData" $root_conf_copy4 }}
|
||||
|
||||
{{/* Schedule to this host explicitly. */}}
|
||||
{{- $nodeSelector_dict := dict }}
|
||||
|
||||
{{- $_ := set $nodeSelector_dict "key" "kubernetes.io/hostname" }}
|
||||
{{- $_ := set $nodeSelector_dict "operator" "In" }}
|
||||
|
||||
{{- $values_list := list $host_data.name }}
|
||||
{{- $_ := set $nodeSelector_dict "values" $values_list }}
|
||||
|
||||
{{- $list_aggregate := list $nodeSelector_dict }}
|
||||
{{- $_ := set $current_dict "matchExpressions" $list_aggregate }}
|
||||
|
||||
{{/* store completed daemonset entry/info into global list */}}
|
||||
{{- $list_aggregate := append $context.Values.__daemonset_list $current_dict }}
|
||||
{{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if eq $type "labels" }}
|
||||
{{- $_ := set $context.Values "__label_list" . }}
|
||||
{{- range $label_data := . }}
|
||||
{{/* dictionary that will contain all info needed to generate this
|
||||
iteration of the daemonset. */}}
|
||||
{{- $_ := set $context.Values "__current_label" dict }}
|
||||
|
||||
{{/* set daemonset name */}}
|
||||
{{- $_ := set $context.Values.__current_label "name" $label_data.label.key }}
|
||||
|
||||
{{/* apply overrides */}}
|
||||
{{- $override_conf_copy := $label_data.conf }}
|
||||
{{/* Deep copy to prevent https://storyboard.openstack.org/#!/story/2005936 */}}
|
||||
{{- $root_conf_copy := omit ($context.Values.conf | toYaml | fromYaml) "overrides" }}
|
||||
{{- $merged_dict := mergeOverwrite $root_conf_copy $override_conf_copy }}
|
||||
{{- $root_conf_copy2 := dict "conf" $merged_dict }}
|
||||
{{- $context_values := omit (omit ($context.Values | toYaml | fromYaml) "conf") "__daemonset_list" }}
|
||||
{{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
|
||||
{{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
|
||||
{{- $_ := set $context.Values.__current_label "nodeData" $root_conf_copy4 }}
|
||||
|
||||
{{/* Schedule to the provided label value(s) */}}
|
||||
{{- $label_dict := omit $label_data.label "NULL" }}
|
||||
{{- $_ := set $label_dict "operator" "In" }}
|
||||
{{- $list_aggregate := list $label_dict }}
|
||||
{{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
|
||||
|
||||
{{/* Do not schedule to other specified labels, with higher
|
||||
precedence as the list position increases. Last defined label
|
||||
is highest priority. */}}
|
||||
{{- $other_labels := without $context.Values.__label_list $label_data }}
|
||||
{{- range $label_data2 := $other_labels }}
|
||||
{{- $label_dict := omit $label_data2.label "NULL" }}
|
||||
|
||||
{{- $_ := set $label_dict "operator" "NotIn" }}
|
||||
|
||||
{{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
|
||||
{{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
|
||||
{{- end }}
|
||||
{{- $_ := set $context.Values "__label_list" $other_labels }}
|
||||
|
||||
{{/* Do not schedule to any other specified hosts */}}
|
||||
{{- range $type, $type_data := $val }}
|
||||
{{- if eq $type "hosts" }}
|
||||
{{- range $host_data := . }}
|
||||
{{- $label_dict := dict }}
|
||||
|
||||
{{- $_ := set $label_dict "key" "kubernetes.io/hostname" }}
|
||||
{{- $_ := set $label_dict "operator" "NotIn" }}
|
||||
|
||||
{{- $values_list := list $host_data.name }}
|
||||
{{- $_ := set $label_dict "values" $values_list }}
|
||||
|
||||
{{- $list_aggregate := append $context.Values.__current_label.matchExpressions $label_dict }}
|
||||
{{- $_ := set $context.Values.__current_label "matchExpressions" $list_aggregate }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* store completed daemonset entry/info into global list */}}
|
||||
{{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__current_label }}
|
||||
{{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
|
||||
{{- $_ := unset $context.Values "__current_label" }}
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* scheduler exceptions for the default daemonset */}}
|
||||
{{- $_ := set $context.Values.__default "matchExpressions" list }}
|
||||
|
||||
{{- range $type, $type_data := . }}
|
||||
{{/* Do not schedule to other specified labels */}}
|
||||
{{- if eq $type "labels" }}
|
||||
{{- range $label_data := . }}
|
||||
{{- $default_dict := omit $label_data.label "NULL" }}
|
||||
|
||||
{{- $_ := set $default_dict "operator" "NotIn" }}
|
||||
|
||||
{{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
|
||||
{{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{/* Do not schedule to other specified hosts */}}
|
||||
{{- if eq $type "hosts" }}
|
||||
{{- range $host_data := . }}
|
||||
{{- $default_dict := dict }}
|
||||
|
||||
{{- $_ := set $default_dict "key" "kubernetes.io/hostname" }}
|
||||
{{- $_ := set $default_dict "operator" "NotIn" }}
|
||||
|
||||
{{- $values_list := list $host_data.name }}
|
||||
{{- $_ := set $default_dict "values" $values_list }}
|
||||
|
||||
{{- $list_aggregate := append $context.Values.__default.matchExpressions $default_dict }}
|
||||
{{- $_ := set $context.Values.__default "matchExpressions" $list_aggregate }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/* generate the default daemonset */}}
|
||||
|
||||
{{/* set name */}}
|
||||
{{- $_ := set $context.Values.__default "name" "default" }}
|
||||
|
||||
{{/* no overrides apply, so copy as-is */}}
|
||||
{{- $root_conf_copy1 := omit $context.Values.conf "overrides" }}
|
||||
{{- $root_conf_copy2 := dict "conf" $root_conf_copy1 }}
|
||||
{{- $context_values := omit $context.Values "conf" }}
|
||||
{{- $root_conf_copy3 := mergeOverwrite $context_values $root_conf_copy2 }}
|
||||
{{- $root_conf_copy4 := dict "Values" $root_conf_copy3 }}
|
||||
{{- $_ := set $context.Values.__default "nodeData" $root_conf_copy4 }}
|
||||
|
||||
{{/* add to global list */}}
|
||||
{{- $list_aggregate := append $context.Values.__daemonset_list $context.Values.__default }}
|
||||
{{- $_ := set $context.Values "__daemonset_list" $list_aggregate }}
|
||||
|
||||
{{- range $current_dict := $context.Values.__daemonset_list }}
|
||||
|
||||
{{- $context_novalues := omit $context "Values" }}
|
||||
{{- $merged_dict := mergeOverwrite $context_novalues $current_dict.nodeData }}
|
||||
{{- $_ := set $current_dict "nodeData" $merged_dict }}
|
||||
{{/* Deep copy original daemonset_yaml */}}
|
||||
{{- $_ := set $context.Values "__daemonset_yaml" ($daemonset_yaml | toYaml | fromYaml) }}
|
||||
|
||||
{{/* name needs to be a DNS-1123 compliant name. Ensure lower case */}}
|
||||
{{- $name_format1 := printf (print $daemonset_root_name "-" $current_dict.name) | lower }}
|
||||
{{/* labels may contain underscores which would be invalid here, so we replace them with dashes
|
||||
there may be other valid label names which would make for an invalid DNS-1123 name
|
||||
but these will be easier to handle in future with sprig regex* functions
|
||||
(not availabile in helm 2.5.1) */}}
|
||||
{{- $name_format2 := $name_format1 | replace "_" "-" }}
|
||||
{{/* To account for the case where the same label is defined multiple times in overrides
|
||||
(but with different label values), we add a sha of the scheduling data to ensure
|
||||
name uniqueness */}}
|
||||
{{- $_ := set $current_dict "dns_1123_name" dict }}
|
||||
{{- if hasKey $current_dict "matchExpressions" }}
|
||||
{{- $_ := set $current_dict "dns_1123_name" (printf (print $name_format2 "-" ($current_dict.matchExpressions | quote | sha256sum | trunc 8))) }}
|
||||
{{- else }}
|
||||
{{- $_ := set $current_dict "dns_1123_name" $name_format2 }}
|
||||
{{- end }}
|
||||
|
||||
{{/* set daemonset metadata name */}}
|
||||
{{- if not $context.Values.__daemonset_yaml.metadata }}{{- $_ := set $context.Values.__daemonset_yaml "metadata" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.metadata.name }}{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" dict }}{{- end }}
|
||||
{{- $_ := set $context.Values.__daemonset_yaml.metadata "name" $current_dict.dns_1123_name }}
|
||||
|
||||
{{/* cross-reference configmap name to container volume definitions */}}
|
||||
{{- $_ := set $context.Values "__volume_list" list }}
|
||||
{{- range $current_volume := $context.Values.__daemonset_yaml.spec.template.spec.volumes }}
|
||||
{{- $_ := set $context.Values "__volume" $current_volume }}
|
||||
{{- if hasKey $context.Values.__volume "secret" }}
|
||||
{{- if eq $context.Values.__volume.secret.secretName $configmap_name }}
|
||||
{{- $_ := set $context.Values.__volume.secret "secretName" $current_dict.dns_1123_name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- $updated_list := append $context.Values.__volume_list $context.Values.__volume }}
|
||||
{{- $_ := set $context.Values "__volume_list" $updated_list }}
|
||||
{{- end }}
|
||||
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "volumes" $context.Values.__volume_list }}
|
||||
|
||||
|
||||
{{/* populate scheduling restrictions */}}
|
||||
{{- if hasKey $current_dict "matchExpressions" }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template.spec }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "spec" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec "affinity" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity "nodeAffinity" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity "requiredDuringSchedulingIgnoredDuringExecution" dict }}{{- end }}
|
||||
{{- $match_exprs := dict }}
|
||||
{{- $_ := set $match_exprs "matchExpressions" $current_dict.matchExpressions }}
|
||||
{{- $appended_match_expr := list $match_exprs }}
|
||||
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.spec.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution "nodeSelectorTerms" $appended_match_expr }}
|
||||
{{- end }}
|
||||
|
||||
{{/* input value hash for current set of values overrides */}}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec }}{{- $_ := set $context.Values.__daemonset_yaml "spec" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template }}{{- $_ := set $context.Values.__daemonset_yaml.spec "template" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template.metadata }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template "metadata" dict }}{{- end }}
|
||||
{{- if not $context.Values.__daemonset_yaml.spec.template.metadata.annotations }}{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata "annotations" dict }}{{- end }}
|
||||
{{- $cmap := list $current_dict.dns_1123_name $current_dict.nodeData | include $configmap_include }}
|
||||
{{- $values_hash := $cmap | quote | sha256sum }}
|
||||
{{- $_ := set $context.Values.__daemonset_yaml.spec.template.metadata.annotations "configmap-etc-hash" $values_hash }}
|
||||
|
||||
{{/* generate configmap */}}
|
||||
---
|
||||
{{ $cmap }}
|
||||
{{/* generate daemonset yaml */}}
|
||||
---
|
||||
{{ $context.Values.__daemonset_yaml | toYaml }}
|
||||
{{- end }}
|
||||
{{- end }}
|
@ -0,0 +1,40 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.dependency_resolver" }}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $dependencyMixinParam := index . "dependencyMixinParam" -}}
|
||||
{{- $dependencyKey := index . "dependencyKey" -}}
|
||||
{{- if $dependencyMixinParam -}}
|
||||
{{- $_ := set $envAll.Values "pod_dependency" dict -}}
|
||||
{{- if kindIs "string" $dependencyMixinParam }}
|
||||
{{- if ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam ) }}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency ( index $envAll.Values.dependencies.static $dependencyKey ) ( index $envAll.Values.dependencies.dynamic.targeted $dependencyMixinParam $dependencyKey ) ) -}}
|
||||
{{- else }}
|
||||
{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
|
||||
{{- end }}
|
||||
{{- else if kindIs "slice" $dependencyMixinParam }}
|
||||
{{- $_ := set $envAll.Values "__deps" ( index $envAll.Values.dependencies.static $dependencyKey ) }}
|
||||
{{- range $k, $v := $dependencyMixinParam -}}
|
||||
{{- if ( index $envAll.Values.dependencies.dynamic.targeted $v ) }}
|
||||
{{- $_ := include "helm-toolkit.utils.merge" (tuple $envAll.Values.pod_dependency $envAll.Values.__deps ( index $envAll.Values.dependencies.dynamic.targeted $v $dependencyKey ) ) -}}
|
||||
{{- $_ := set $envAll.Values "__deps" $envAll.Values.pod_dependency -}}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else -}}
|
||||
{{- $_ := set $envAll.Values "pod_dependency" ( index $envAll.Values.dependencies.static $dependencyKey ) -}}
|
||||
{{- end -}}
|
||||
{{ $envAll.Values.pod_dependency | toYaml }}
|
||||
{{- end }}
|
21
charts/deps/helm-toolkit/templates/utils/_hash.tpl
Normal file
21
charts/deps/helm-toolkit/templates/utils/_hash.tpl
Normal file
@ -0,0 +1,21 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.hash" -}}
|
||||
{{- $name := index . 0 -}}
|
||||
{{- $context := index . 1 -}}
|
||||
{{- $last := base $context.Template.Name }}
|
||||
{{- $wtf := $context.Template.Name | replace $last $name -}}
|
||||
{{- include $wtf $context | sha256sum | quote -}}
|
||||
{{- end -}}
|
44
charts/deps/helm-toolkit/templates/utils/_host_list.tpl
Normal file
44
charts/deps/helm-toolkit/templates/utils/_host_list.tpl
Normal file
@ -0,0 +1,44 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns a list of unique hosts for an endpoint, in yaml.
|
||||
values: |
|
||||
endpoints:
|
||||
cluster_domain_suffix: cluster.local
|
||||
oslo_db:
|
||||
hosts:
|
||||
default: mariadb
|
||||
host_fqdn_override:
|
||||
default: mariadb
|
||||
usage: |
|
||||
{{ tuple "oslo_db" "internal" . | include "helm-toolkit.utils.host_list" }}
|
||||
return: |
|
||||
hosts:
|
||||
- mariadb
|
||||
- mariadb.default
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.host_list" -}}
|
||||
{{- $type := index . 0 -}}
|
||||
{{- $endpoint := index . 1 -}}
|
||||
{{- $context := index . 2 -}}
|
||||
{{- $host_fqdn := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
{{- $host_namespaced := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }}
|
||||
{{- $host_short := tuple $type $endpoint $context | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{/* It is important that the FQDN host is 1st in this list, to ensure other function can use the 1st element for cert gen CN etc */}}
|
||||
{{- $host_list := list $host_fqdn $host_namespaced $host_short | uniq }}
|
||||
{{- dict "hosts" $host_list | toYaml }}
|
||||
{{- end -}}
|
@ -0,0 +1,25 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.image_sync_list" -}}
|
||||
{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
|
||||
{{- $imageDict := .Values.images.tags -}}
|
||||
{{- $local := dict "first" true -}}
|
||||
{{- range $k, $v := $imageDict -}}
|
||||
{{- if not $local.first -}},{{- end -}}
|
||||
{{- if (not (has $k $imageExcludeList )) -}}
|
||||
{{- index $imageDict $k -}}
|
||||
{{- $_ := set $local "first" false -}}
|
||||
{{- end -}}{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,31 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Joins a list of values into a comma separated string
|
||||
values: |
|
||||
test:
|
||||
- foo
|
||||
- bar
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.joinListWithComma" .Values.test }}
|
||||
return: |
|
||||
foo,bar
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.joinListWithComma" -}}
|
||||
{{- $local := dict "first" true -}}
|
||||
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,32 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Joins a list of values into a comma seperated string with single quotes
|
||||
around each value.
|
||||
values: |
|
||||
test:
|
||||
- foo
|
||||
- bar
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" .Values.test }}
|
||||
return: |
|
||||
'foo','bar'
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.joinListWithCommaAndSingleQuotes" -}}
|
||||
{{- $local := dict "first" true -}}
|
||||
{{- range $k, $v := . -}}{{- if not $local.first -}},{{- end -}}'{{- $v -}}'{{- $_ := set $local "first" false -}}{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,32 @@
|
||||
{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Joins a list of prefixed values into a space separated string
|
||||
values: |
|
||||
test:
|
||||
- foo
|
||||
- bar
|
||||
usage: |
|
||||
{{ tuple "prefix" .Values.test | include "helm-toolkit.utils.joinListWithPrefix" }}
|
||||
return: |
|
||||
prefixfoo prefixbar
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.joinListWithPrefix" -}}
|
||||
{{- $prefix := index . 0 -}}
|
||||
{{- $local := dict "first" true -}}
|
||||
{{- range $k, $v := index . 1 -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $prefix -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,31 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Joins a list of values into a space separated string
|
||||
values: |
|
||||
test:
|
||||
- foo
|
||||
- bar
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.joinListWithSpace" .Values.test }}
|
||||
return: |
|
||||
foo bar
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.joinListWithSpace" -}}
|
||||
{{- $local := dict "first" true -}}
|
||||
{{- range $k, $v := . -}}{{- if not $local.first -}}{{- " " -}}{{- end -}}{{- $v -}}{{- $_ := set $local "first" false -}}{{- end -}}
|
||||
{{- end -}}
|
135
charts/deps/helm-toolkit/templates/utils/_merge.tpl
Normal file
135
charts/deps/helm-toolkit/templates/utils/_merge.tpl
Normal file
@ -0,0 +1,135 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
Takes a tuple of values and merges into the first (target) one each subsequent
|
||||
(source) one in order. If all values to merge are maps, then the tuple can be
|
||||
passed as is and the target will be the result, otherwise pass a map with a
|
||||
"values" key containing the tuple of values to merge, and the merge result will
|
||||
be assigned to the "result" key of the passed map.
|
||||
|
||||
When merging maps, for each key in the source, if the target does not define
|
||||
that key, the source value is assigned. If both define the key, then the key
|
||||
values are merged using this algorithm (recursively) and the result is assigned
|
||||
to the target key. Slices are merged by appending them and removing any
|
||||
duplicates, and when passing a map to this function and including a
|
||||
"merge_same_named" key set to true, then map items from the slices with the same
|
||||
value for the "name" key will be merged with each other. Any other values are
|
||||
merged by simply keeping the source, and throwing away the target.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.merge" -}}
|
||||
{{- $local := dict -}}
|
||||
{{- $_ := set $local "merge_same_named" false -}}
|
||||
{{- if kindIs "map" $ -}}
|
||||
{{- $_ := set $local "values" $.values -}}
|
||||
{{- if hasKey $ "merge_same_named" -}}
|
||||
{{- $_ := set $local "merge_same_named" $.merge_same_named -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set $local "values" $ -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $target := first $local.values -}}
|
||||
{{- range $item := rest $local.values -}}
|
||||
{{- $call := dict "target" $target "source" . "merge_same_named" $local.merge_same_named -}}
|
||||
{{- $_ := include "helm-toolkit.utils._merge" $call -}}
|
||||
{{- $_ := set $local "result" $call.result -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if kindIs "map" $ -}}
|
||||
{{- $_ := set $ "result" $local.result -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "helm-toolkit.utils._merge" -}}
|
||||
{{- $local := dict -}}
|
||||
|
||||
{{- $_ := set $ "result" $.source -}}
|
||||
|
||||
{{/*
|
||||
TODO: Should we `fail` when trying to merge a collection (map or slice) with
|
||||
either a different kind of collection or a scalar?
|
||||
*/}}
|
||||
|
||||
{{- if and (kindIs "map" $.target) (kindIs "map" $.source) -}}
|
||||
{{- range $key, $sourceValue := $.source -}}
|
||||
{{- if not (hasKey $.target $key) -}}
|
||||
{{- $_ := set $local "newTargetValue" $sourceValue -}}
|
||||
{{- if kindIs "map" $sourceValue -}}
|
||||
{{- $copy := dict -}}
|
||||
{{- $call := dict "target" $copy "source" $sourceValue -}}
|
||||
{{- $_ := include "helm-toolkit.utils._merge.shallow" $call -}}
|
||||
{{- $_ := set $local "newTargetValue" $copy -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- $targetValue := index $.target $key -}}
|
||||
{{- $call := dict "target" $targetValue "source" $sourceValue "merge_same_named" $.merge_same_named -}}
|
||||
{{- $_ := include "helm-toolkit.utils._merge" $call -}}
|
||||
{{- $_ := set $local "newTargetValue" $call.result -}}
|
||||
{{- end -}}
|
||||
{{- $_ := set $.target $key $local.newTargetValue -}}
|
||||
{{- end -}}
|
||||
{{- $_ := set $ "result" $.target -}}
|
||||
{{- else if and (kindIs "slice" $.target) (kindIs "slice" $.source) -}}
|
||||
{{- $call := dict "target" $.target "source" $.source -}}
|
||||
{{- $_ := include "helm-toolkit.utils._merge.append_slice" $call -}}
|
||||
{{- if $.merge_same_named -}}
|
||||
{{- $_ := set $local "result" list -}}
|
||||
{{- $_ := set $local "named_items" dict -}}
|
||||
{{- range $item := $call.result -}}
|
||||
{{- $_ := set $local "has_name_key" false -}}
|
||||
{{- if kindIs "map" $item -}}
|
||||
{{- if hasKey $item "name" -}}
|
||||
{{- $_ := set $local "has_name_key" true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- if $local.has_name_key -}}
|
||||
{{- if hasKey $local.named_items $item.name -}}
|
||||
{{- $named_item := index $local.named_items $item.name -}}
|
||||
{{- $call := dict "target" $named_item "source" $item "merge_same_named" $.merge_same_named -}}
|
||||
{{- $_ := include "helm-toolkit.utils._merge" $call -}}
|
||||
{{- else -}}
|
||||
{{- $copy := dict -}}
|
||||
{{- $copy_call := dict "target" $copy "source" $item -}}
|
||||
{{- $_ := include "helm-toolkit.utils._merge.shallow" $copy_call -}}
|
||||
{{- $_ := set $local.named_items $item.name $copy -}}
|
||||
{{- $_ := set $local "result" (append $local.result $copy) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set $local "result" (append $local.result $item) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- $_ := set $local "result" $call.result -}}
|
||||
{{- end -}}
|
||||
{{- $_ := set $ "result" (uniq $local.result) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "helm-toolkit.utils._merge.shallow" -}}
|
||||
{{- range $key, $value := $.source -}}
|
||||
{{- $_ := set $.target $key $value -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- define "helm-toolkit.utils._merge.append_slice" -}}
|
||||
{{- $local := dict -}}
|
||||
{{- $_ := set $local "result" $.target -}}
|
||||
{{- range $value := $.source -}}
|
||||
{{- $_ := set $local "result" (append $local.result $value) -}}
|
||||
{{- end -}}
|
||||
{{- $_ := set $ "result" $local.result -}}
|
||||
{{- end -}}
|
21
charts/deps/helm-toolkit/templates/utils/_template.tpl
Normal file
21
charts/deps/helm-toolkit/templates/utils/_template.tpl
Normal file
@ -0,0 +1,21 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.template" -}}
|
||||
{{- $name := index . 0 -}}
|
||||
{{- $context := index . 1 -}}
|
||||
{{- $last := base $context.Template.Name }}
|
||||
{{- $wtf := $context.Template.Name | replace $last $name -}}
|
||||
{{ include $wtf $context }}
|
||||
{{- end -}}
|
51
charts/deps/helm-toolkit/templates/utils/_to_ini.tpl
Normal file
51
charts/deps/helm-toolkit/templates/utils/_to_ini.tpl
Normal file
@ -0,0 +1,51 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns INI formatted output from yaml input
|
||||
values: |
|
||||
conf:
|
||||
paste:
|
||||
filter:debug:
|
||||
use: egg:oslo.middleware#debug
|
||||
filter:request_id:
|
||||
use: egg:oslo.middleware#request_id
|
||||
filter:build_auth_context:
|
||||
use: egg:keystone#build_auth_context
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.to_ini" .Values.conf.paste }}
|
||||
return: |
|
||||
[filter:build_auth_context]
|
||||
use = egg:keystone#build_auth_context
|
||||
[filter:debug]
|
||||
use = egg:oslo.middleware#debug
|
||||
[filter:request_id]
|
||||
use = egg:oslo.middleware#request_id
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.to_ini" -}}
|
||||
{{- range $section, $values := . -}}
|
||||
{{- if kindIs "map" $values -}}
|
||||
[{{ $section }}]
|
||||
{{range $key, $value := $values -}}
|
||||
{{- if kindIs "slice" $value -}}
|
||||
{{ $key }} = {{ include "helm-toolkit.utils.joinListWithComma" $value }}
|
||||
{{else -}}
|
||||
{{ $key }} = {{ $value }}
|
||||
{{end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,46 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns yaml formatted to be used in k8s templates as container
|
||||
env vars injected via secrets. This requires a secret-<chartname> template to
|
||||
be defined in the chart that can be used to house the desired secret
|
||||
variables. For reference, see the fluentd chart.
|
||||
values: |
|
||||
test:
|
||||
secrets:
|
||||
foo: bar
|
||||
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
|
||||
return: |
|
||||
- name: foo
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: "my-release-name-env-secret"
|
||||
key: foo
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.to_k8s_env_secret_vars" -}}
|
||||
{{- $context := index . 0 -}}
|
||||
{{- $secrets := index . 1 -}}
|
||||
{{ range $key, $config := $secrets -}}
|
||||
- name: {{ $key }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ printf "%s-%s" $context.Release.Name "env-secret" | quote }}
|
||||
key: {{ $key }}
|
||||
{{ end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,39 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Returns key value pair formatted to be used in k8s templates as container
|
||||
env vars.
|
||||
values: |
|
||||
test:
|
||||
foo: bar
|
||||
usage: |
|
||||
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.test }}
|
||||
return: |
|
||||
- name: foo
|
||||
value: "bar"
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.utils.to_k8s_env_vars" -}}
|
||||
{{range $key, $value := . -}}
|
||||
{{- if kindIs "slice" $value -}}
|
||||
- name: {{ $key }}
|
||||
value: {{ include "helm-toolkit.utils.joinListWithComma" $value | quote }}
|
||||
{{else -}}
|
||||
- name: {{ $key }}
|
||||
value: {{ $value | quote }}
|
||||
{{ end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user