airship
/
promenade
Code Issues Proposed changes

RBAC: Update serviceaccount and k8s rbac for promenade 

This patch set brings the promenade chart to be inline with OSH* RBAC
approach used in [0] and [1].

[0] https://review.openstack.org/#/c/526464/52
[1] https://review.openstack.org/#/c/529378/

Change-Id: Ida951702dadc8280d81ececac417ef53b936c8fe
This commit is contained in:
Anthony Lin 2017-12-28 18:35:37 +00:00
parent b9dceb2a9a
commit 83cfb760c4
5 changed files with 32 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
charts/promenade/templates/deployment-api.yaml
View File

@ -16,6 +16,11 @@ limitations under the License.
{{- if .Values.manifests.deployment_api }} {{- if .Values.manifests.deployment_api }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.api }}
{{- $mounts_promenade := .Values.pod.mounts.promenade_api.promenade_api }}
{{- $mounts_promenade_init := .Values.pod.mounts.promenade_api.init_container }}
{{- $serviceAccountName := "promenade-api" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@ -32,6 +37,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }}
affinity: affinity:
{{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} {{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector: nodeSelector:
@ -54,9 +60,11 @@ spec:
mountPath: /etc/promenade/api-paste.ini mountPath: /etc/promenade/api-paste.ini
subPath: api-paste.ini subPath: api-paste.ini
readOnly: true readOnly: true
{{ if $mounts_promenade.volumeMounts }}{{ toYaml $mounts_promenade.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
- name: promenade-etc - name: promenade-etc
configMap: configMap:
name: promenade-etc name: promenade-etc
defaultMode: 0444 defaultMode: 0444
{{ if $mounts_promenade.volumes }}{{ toYaml $mounts_promenade.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

6
charts/promenade/templates/job-ks-endpoints.yaml
View File

@ -16,7 +16,8 @@
{{- if .Values.manifests.job_ks_endpoints }} {{- if .Values.manifests.job_ks_endpoints }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_endpoints }} {{- $dependencies := .Values.dependencies.ks_endpoints }}
{{- $serviceAccountName := "promenade-ks-endpoints" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
@ -28,11 +29,12 @@ spec:
labels: labels:
{{ tuple $envAll "promenade" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "promenade" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure restartPolicy: OnFailure
nodeSelector: nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
initContainers: initContainers:
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers: containers:
{{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }} {{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }}
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}

5
charts/promenade/templates/job-ks-service.yaml
View File

@ -18,6 +18,8 @@
{{- $envAll := . }} {{- $envAll := . }}
{{- $ksAdminSecret := .Values.secrets.identity.admin }} {{- $ksAdminSecret := .Values.secrets.identity.admin }}
{{- $dependencies := .Values.dependencies.ks_service }} {{- $dependencies := .Values.dependencies.ks_service }}
{{- $serviceAccountName := "promenade-ks-service" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
@ -29,11 +31,12 @@ spec:
labels: labels:
{{ tuple $envAll "promenade" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "promenade" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure restartPolicy: OnFailure
nodeSelector: nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
initContainers: initContainers:
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers: containers:
{{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }} {{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }}
- name: {{ $osServiceType }}-ks-service-registration - name: {{ $osServiceType }}-ks-service-registration

7
charts/promenade/templates/job-ks-user.yaml
View File

@ -19,6 +19,8 @@
{{- $ksUserSecret := .Values.secrets.identity.user }} {{- $ksUserSecret := .Values.secrets.identity.user }}
{{- $envAll := . }} {{- $envAll := . }}
{{- $dependencies := .Values.dependencies.ks_user }} {{- $dependencies := .Values.dependencies.ks_user }}
{{- $serviceAccountName := "promenade-ks-user" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@ -27,13 +29,14 @@ spec:
template: template:
metadata: metadata:
labels: labels:
{{ tuple $envAll "drydock" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "promenade" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure restartPolicy: OnFailure
nodeSelector: nodeSelector:
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
initContainers: initContainers:
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers: containers:
- name: promenade-ks-user - name: promenade-ks-user
image: {{ .Values.images.tags.ks_user }} image: {{ .Values.images.tags.ks_user }}

11
charts/promenade/values.yaml
View File

@ -70,6 +70,13 @@ dependencies:
services: services:
- service: identity - service: identity
endpoint: internal endpoint: internal
api:
jobs:
- promenade-ks-service
- promenade-ks-user
services:
- service: identity
endpoint: internal
secrets: secrets:
identity: identity:
@ -126,6 +133,10 @@ endpoints:
default: null default: null
pod: pod:
mounts:
promenade_api:
init_container: null
promenade_api:
affinity: affinity:
anti: anti:
type: type: