airship/maas
Code Issues Proposed changes

Support Postgres admin password

Browse Source 
- Fully support Postgres configuration
  in the endpoints stanza
- Add RBAC support to the region and rack
  pods
- Add custom RBAC for export API key job
  to allow secret creation

Change-Id: I9d0b63ac329bb0b9539b14123c5e16ad3cd1c9f0
This commit is contained in:
Scott Hussey 2018-01-28 15:07:43 -06:00
parent ec58f85762
commit 71582567f8
12 changed files with 59 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/maas/templates/bin/_db-init.sh.tpl
View File

@ -36,8 +36,8 @@ if [[ ! -v DB_HOST ]]; then
elif [[ ! -v ROOT_DB_USER ]]; then elif [[ ! -v ROOT_DB_USER ]]; then
echo "environment variable ROOT_DB_USER not set" echo "environment variable ROOT_DB_USER not set"
exit 1 exit 1
elif [[ ! -v ROOT_DB_PASS ]]; then elif [[ ! -v PGPASSWORD ]]; then
echo "environment variable ROOT_DB_PASS not set" echo "environment variable PGPASSWORD not set"
exit 1 exit 1
elif [[ ! -v USER_DB_USER ]]; then elif [[ ! -v USER_DB_USER ]]; then
echo "environment variable USER_DB_USER not set" echo "environment variable USER_DB_USER not set"

20
charts/maas/templates/configmap-etc.yaml
View File

@ -16,16 +16,6 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- include "maas.conf.maas_values_skeleton" .Values.conf.maas | trunc 0 -}}
{{- if empty .Values.conf.maas.database.database_host -}}
{{- tuple "maas_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | set .Values.conf.maas.database "database_host" | quote | trunc 0 -}}
{{- end -}}
{{- if empty .Values.conf.maas.url.maas_url -}}
{{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
{{- end -}}
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
@ -47,17 +37,7 @@ data:
{{ .Values.conf.bind.append | indent 4 }} {{ .Values.conf.bind.append | indent 4 }}
{{- end }} {{- end }}
regiond.conf: | regiond.conf: |
{{ if .Values.conf.maas.override -}}
{{ .Values.conf.maas.override | indent 4 }}
{{- else -}}
{{- if .Values.conf.maas.prefix -}}
{{ .Values.conf.maas.prefix | indent 4 }}
{{- end }}
{{ tuple "etc/_regiond.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "etc/_regiond.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- end }}
{{- if .Values.conf.maas.append -}}
{{ .Values.conf.maas.append | indent 4 }}
{{- end }}
nsswitch.conf: | nsswitch.conf: |
{{ tuple "etc/_nsswitch.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} {{ tuple "etc/_nsswitch.conf.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
register-rack-controller.service: | register-rack-controller.service: |

4
charts/maas/templates/deployment-rack.yaml
View File

@ -1,5 +1,6 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -20,9 +21,10 @@ limitations under the License.
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.rack_controller }} {{- $dependencies := .Values.dependencies.rack_controller }}
{{- $serviceAccountName := "maas-rack" }} {{- $serviceAccountName := "maas-rack" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }} {{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }}
{{- $mounts_maas_rack_init := .Values.pod.mounts.maas_rack.init_container }} {{- $mounts_maas_rack_init := .Values.pod.mounts.maas_rack.init_container }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: apps/v1beta1 apiVersion: apps/v1beta1
kind: Deployment kind: Deployment

29
charts/maas/templates/etc/_regiond.conf.tpl
View File

@ -1,4 +1,6 @@
{{/*
# Copyright 2017 The Openstack-Helm Authors. # Copyright 2017 The Openstack-Helm Authors.
# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -11,26 +13,13 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
*/}}
{{ include "maas.conf.maas_values_skeleton" .Values.conf.maas | trunc 0 }}
{{ include "maas.conf.maas" .Values.conf.maas }}
{{- define "maas.conf.maas_values_skeleton" -}}
{{- if not .database -}}{{- set . "database" dict -}}{{- end -}}
{{- if not .url -}}{{- set . "url" dict -}}{{- end -}}
{{- end -}}
{{- if empty .Values.conf.maas.url.maas_url -}} {{- if empty .Values.conf.maas.url.maas_url -}}
{{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}} {{- tuple "maas_region_ui" "default" "region_ui" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | set .Values.conf.maas.url "maas_url" | quote | trunc 0 -}}
{{- end -}} {{- end }}
database_host: {{ tuple "maas_db" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
{{- define "maas.conf.maas" -}} database_name: {{ .Values.endpoints.maas_db.auth.user.database }}
database_pass: {{ .Values.endpoints.maas_db.auth.user.password }}
database_host: {{ .database.database_host }} database_user: {{ .Values.endpoints.maas_db.auth.user.username }}
database_name: {{ .database.database_name }} maas_url: {{ .Values.conf.maas.url.maas_url }}
database_pass: {{ .database.database_password }}
database_user: {{ .database.database_user }}
maas_url: {{ .url.maas_url }}
{{- end -}}

1
charts/maas/templates/job-bootstrap-admin-user.yaml
View File

@ -1,5 +1,6 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

3
charts/maas/templates/job-db-init.yaml
View File

@ -1,5 +1,6 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -46,7 +47,7 @@ spec:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.maas_db.admin }} name: {{ .Values.secrets.maas_db.admin }}
key: DATABASE_USERNAME key: DATABASE_USERNAME
- name: ROOT_DB_PASS - name: PGPASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: {{ .Values.secrets.maas_db.admin }} name: {{ .Values.secrets.maas_db.admin }}

1
charts/maas/templates/job-db-sync.yaml
View File

@ -1,5 +1,6 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

49
charts/maas/templates/job-export-api-key.yaml
View File

@ -1,5 +1,6 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
@ -18,35 +19,55 @@ limitations under the License.
{{- $dependencies := .Values.dependencies.export_api_key }} {{- $dependencies := .Values.dependencies.export_api_key }}
{{- $initMounts := .Values.pod.mounts.export_api_key.export_api_key }} {{- $initMounts := .Values.pod.mounts.export_api_key.export_api_key }}
{{- $serviceAccountName := "maas-export-api-key" }} {{- $serviceAccountName := "maas-export-api-key" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: v1
kind: Role kind: ServiceAccount
metadata: metadata:
name: {{ $serviceAccountName }} name: {{ $serviceAccountName }}
rules: namespace: {{ $envAll.Release.Namespace }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ $serviceAccountName }} name: {{ $envAll.Release.Name }}-{{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: Role
name: {{ $serviceAccountName }} name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ $serviceAccountName }} name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }} namespace: {{ $envAll.Release.Namespace }}
--- ---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ $envAll.Release.Name }}-{{ $envAll.Release.Namespace }}-{{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
rules:
- apiGroups:
- ""
- extensions
- batch
- apps
verbs:
- get
- list
resources:
- services
- endpoints
- jobs
- pods
- apiGroups:
- ""
verbs:
- get
- create
- update
resources:
- secrets
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:

1
charts/maas/templates/job-import.yaml
View File

@ -1,5 +1,6 @@
{{/* {{/*
Copyright 2017 The Openstack-Helm Authors. Copyright 2017 The Openstack-Helm Authors.
Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.

2
charts/maas/templates/secret-db.yaml
View File

@ -32,5 +32,5 @@ data:
DATABASE_PASSWORD: |- DATABASE_PASSWORD: |-
{{ $auth.password | b64enc | indent 4 }} {{ $auth.password | b64enc | indent 4 }}
DATABASE_NAME: |- DATABASE_NAME: |-
{{ $envAll.Values.endpoints.maas_db.path | b64enc | indent 4 }} {{ $auth.database | default "" | b64enc | indent 4 }}
{{ end }} {{ end }}

3
charts/maas/templates/statefulset-region.yaml
View File

@ -16,9 +16,10 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.region_controller }} {{- $dependencies := .Values.dependencies.region_controller }}
{{- $serviceAccountName := "maas-region" }} {{- $serviceAccountName := "maas-region" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }} {{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
{{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }} {{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: apps/v1beta1 apiVersion: apps/v1beta1
kind: StatefulSet kind: StatefulSet

2
charts/maas/values.yaml
View File

@ -1,4 +1,5 @@
# Copyright 2017 The Openstack-Helm Authors. # Copyright 2017 The Openstack-Helm Authors.
# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -251,6 +252,7 @@ endpoints:
user: user:
username: maas username: maas
password: password password: password
database: maasdb
path: maasdb path: maasdb
hosts: hosts:
default: postgresql default: postgresql