RBAC: Update serviceaccount and k8s rbac for promenade
This patch set brings the promenade chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: Ida951702dadc8280d81ececac417ef53b936c8fe
This commit is contained in:
parent
b9dceb2a9a
commit
83cfb760c4
|
@ -16,6 +16,11 @@ limitations under the License.
|
|||
|
||||
{{- if .Values.manifests.deployment_api }}
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.api }}
|
||||
{{- $mounts_promenade := .Values.pod.mounts.promenade_api.promenade_api }}
|
||||
{{- $mounts_promenade_init := .Values.pod.mounts.promenade_api.init_container }}
|
||||
{{- $serviceAccountName := "promenade-api" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
|
@ -32,6 +37,7 @@ spec:
|
|||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "promenade" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
|
@ -54,9 +60,11 @@ spec:
|
|||
mountPath: /etc/promenade/api-paste.ini
|
||||
subPath: api-paste.ini
|
||||
readOnly: true
|
||||
{{ if $mounts_promenade.volumeMounts }}{{ toYaml $mounts_promenade.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
- name: promenade-etc
|
||||
configMap:
|
||||
name: promenade-etc
|
||||
defaultMode: 0444
|
||||
{{ if $mounts_promenade.volumes }}{{ toYaml $mounts_promenade.volumes | indent 8 }}{{ end }}
|
||||
{{- end }}
|
||||
|
|
|
@ -16,7 +16,8 @@
|
|||
{{- if .Values.manifests.job_ks_endpoints }}
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.ks_endpoints }}
|
||||
|
||||
{{- $serviceAccountName := "promenade-ks-endpoints" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -28,11 +29,12 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "promenade" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
initContainers:
|
||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
{{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }}
|
||||
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
|
||||
|
|
|
@ -18,6 +18,8 @@
|
|||
{{- $envAll := . }}
|
||||
{{- $ksAdminSecret := .Values.secrets.identity.admin }}
|
||||
{{- $dependencies := .Values.dependencies.ks_service }}
|
||||
{{- $serviceAccountName := "promenade-ks-service" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -29,11 +31,12 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "promenade" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
initContainers:
|
||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
{{- range $key1, $osServiceType := tuple "kubernetesprovisioner" }}
|
||||
- name: {{ $osServiceType }}-ks-service-registration
|
||||
|
|
|
@ -19,6 +19,8 @@
|
|||
{{- $ksUserSecret := .Values.secrets.identity.user }}
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.ks_user }}
|
||||
{{- $serviceAccountName := "promenade-ks-user" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
|
@ -27,13 +29,14 @@ spec:
|
|||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{ tuple $envAll "drydock" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
{{ tuple $envAll "promenade" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
initContainers:
|
||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
- name: promenade-ks-user
|
||||
image: {{ .Values.images.tags.ks_user }}
|
||||
|
|
|
@ -70,6 +70,13 @@ dependencies:
|
|||
services:
|
||||
- service: identity
|
||||
endpoint: internal
|
||||
api:
|
||||
jobs:
|
||||
- promenade-ks-service
|
||||
- promenade-ks-user
|
||||
services:
|
||||
- service: identity
|
||||
endpoint: internal
|
||||
|
||||
secrets:
|
||||
identity:
|
||||
|
@ -126,6 +133,10 @@ endpoints:
|
|||
default: null
|
||||
|
||||
pod:
|
||||
mounts:
|
||||
promenade_api:
|
||||
init_container: null
|
||||
promenade_api:
|
||||
affinity:
|
||||
anti:
|
||||
type:
|
||||
|
|
Loading…
Reference in New Issue