From 5db6d42050325e20f597f9960a594594b9483ecd Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Wed, 27 Dec 2017 07:48:51 +0000 Subject: [PATCH] RBAC: Update serviceaccount and k8s rbac for shipyard This patch set brings the shipyard chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: I608d00a69729e347b4121745e80f1e9760e5f6d4 --- charts/shipyard/templates/deployment-shipyard.yaml | 3 +++ charts/shipyard/templates/job-airflow-db-init.yaml | 2 +- charts/shipyard/templates/job-airflow-db-sync.yaml | 2 +- charts/shipyard/templates/job-ks-endpoints.yaml | 7 +++++-- charts/shipyard/templates/job-ks-service.yaml | 7 +++++-- charts/shipyard/templates/job-ks-user.yaml | 6 +++++- charts/shipyard/templates/job-shipyard-db-init.yaml | 9 ++++++++- charts/shipyard/templates/job-shipyard-db-sync.yaml | 9 ++++++++- charts/shipyard/values.yaml | 6 ++++++ 9 files changed, 42 insertions(+), 9 deletions(-) diff --git a/charts/shipyard/templates/deployment-shipyard.yaml b/charts/shipyard/templates/deployment-shipyard.yaml index c233104f..f494a0c7 100644 --- a/charts/shipyard/templates/deployment-shipyard.yaml +++ b/charts/shipyard/templates/deployment-shipyard.yaml @@ -17,6 +17,8 @@ {{- $dependencies := .Values.dependencies.shipyard }} {{- $mounts_shipyard := .Values.pod.mounts.shipyard.shipyard }} {{- $mounts_shipyard_init := .Values.pod.mounts.shipyard.init_container }} +{{- $serviceAccountName := "shipyard" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -33,6 +35,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.shipyard.timeout | default "30" }} diff --git a/charts/shipyard/templates/job-airflow-db-init.yaml b/charts/shipyard/templates/job-airflow-db-init.yaml index 3ce8f7db..e337541d 100644 --- a/charts/shipyard/templates/job-airflow-db-init.yaml +++ b/charts/shipyard/templates/job-airflow-db-init.yaml @@ -32,7 +32,7 @@ spec: nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: airflow-db-init image: {{ .Values.images.tags.airflow_db_init | quote }} diff --git a/charts/shipyard/templates/job-airflow-db-sync.yaml b/charts/shipyard/templates/job-airflow-db-sync.yaml index 511caf2c..2c8cced0 100644 --- a/charts/shipyard/templates/job-airflow-db-sync.yaml +++ b/charts/shipyard/templates/job-airflow-db-sync.yaml @@ -32,7 +32,7 @@ spec: nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: airflow-db-sync image: {{ .Values.images.tags.airflow_db_sync }} diff --git a/charts/shipyard/templates/job-ks-endpoints.yaml b/charts/shipyard/templates/job-ks-endpoints.yaml index eca74369..d3b05d12 100644 --- a/charts/shipyard/templates/job-ks-endpoints.yaml +++ b/charts/shipyard/templates/job-ks-endpoints.yaml @@ -13,7 +13,9 @@ {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} - +{{- $serviceAccountName := "shipyard-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -24,11 +26,12 @@ spec: labels: {{ tuple $envAll "shipyard" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "shipyard" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/charts/shipyard/templates/job-ks-service.yaml b/charts/shipyard/templates/job-ks-service.yaml index 8d17702c..3e2c6808 100644 --- a/charts/shipyard/templates/job-ks-service.yaml +++ b/charts/shipyard/templates/job-ks-service.yaml @@ -15,7 +15,9 @@ {{- $envAll := . }} {{- $ksAdminSecret := .Values.secrets.identity.admin }} {{- $dependencies := .Values.dependencies.ks_service }} - +{{- $serviceAccountName := "shipyard-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -26,11 +28,12 @@ spec: labels: {{ tuple $envAll "shipyard" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "shipyard" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/charts/shipyard/templates/job-ks-user.yaml b/charts/shipyard/templates/job-ks-user.yaml index abdb8510..d1d39146 100644 --- a/charts/shipyard/templates/job-ks-user.yaml +++ b/charts/shipyard/templates/job-ks-user.yaml @@ -16,6 +16,9 @@ {{- $ksUserSecret := .Values.secrets.identity.user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} +{{- $serviceAccountName := "shipyard-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -23,11 +26,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: shipyard-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/charts/shipyard/templates/job-shipyard-db-init.yaml b/charts/shipyard/templates/job-shipyard-db-init.yaml index 39beb505..6ee5afdf 100644 --- a/charts/shipyard/templates/job-shipyard-db-init.yaml +++ b/charts/shipyard/templates/job-shipyard-db-init.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- if .Values.manifests.job_shipyard_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.shipyard_db_init }} +{{- $mounts_shipyard_db_init := .Values.pod.mounts.shipyard_db_init.shipyard_db_init }} +{{- $mounts_shipyard_db_init_init := .Values.pod.mounts.shipyard_db_init.init_container }} +{{- $serviceAccountName := "shipyard-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +32,12 @@ spec: labels: {{ tuple $envAll "shipyard" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: shipyard-db-init image: {{ .Values.images.tags.shipyard_db_init | quote }} @@ -69,6 +74,7 @@ spec: mountPath: /etc/shipyard/shipyard.conf subPath: shipyard.conf readOnly: true +{{ if $mounts_shipyard_db_init.volumeMounts }}{{ toYaml $mounts_shipyard_db_init.volumeMounts | indent 10 }}{{ end }} volumes: - name: etc-shipyard emptyDir: {} @@ -80,4 +86,5 @@ spec: configMap: name: shipyard-bin defaultMode: 0555 +{{ if $mounts_shipyard_db_init.volumes }}{{ toYaml $mounts_shipyard_db_init.volumes | indent 6 }}{{ end }} {{- end }} diff --git a/charts/shipyard/templates/job-shipyard-db-sync.yaml b/charts/shipyard/templates/job-shipyard-db-sync.yaml index e655e284..a4498e28 100644 --- a/charts/shipyard/templates/job-shipyard-db-sync.yaml +++ b/charts/shipyard/templates/job-shipyard-db-sync.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- if .Values.manifests.job_shipyard_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.shipyard_db_sync }} +{{- $mounts_shipyard_db_sync := .Values.pod.mounts.shipyard_db_sync.shipyard_db_sync }} +{{- $mounts_shipyard_db_sync_init := .Values.pod.mounts.shipyard_db_sync.init_container }} +{{- $serviceAccountName := "shipyard-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +32,12 @@ spec: labels: {{ tuple $envAll "shipyard" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: shipyard-db-sync image: {{ .Values.images.tags.shipyard_db_sync }} @@ -65,6 +70,7 @@ spec: mountPath: /etc/shipyard/shipyard.conf subPath: shipyard.conf readOnly: true +{{ if $mounts_shipyard_db_sync.volumeMounts }}{{ toYaml $mounts_shipyard_db_sync.volumeMounts | indent 10 }}{{ end }} volumes: - name: etc-shipyard emptyDir: {} @@ -76,4 +82,5 @@ spec: configMap: name: shipyard-bin defaultMode: 0555 +{{ if $mounts_shipyard_db_sync.volumes }}{{ toYaml $mounts_shipyard_db_sync.volumes | indent 6 }}{{ end }} {{- end }} diff --git a/charts/shipyard/values.yaml b/charts/shipyard/values.yaml index 18de193f..fedb48c4 100644 --- a/charts/shipyard/values.yaml +++ b/charts/shipyard/values.yaml @@ -453,6 +453,12 @@ pod: shipyard: init_container: null shipyard: + shipyard_db_init: + init_container: null + shipyard_db_init: + shipyard_db_sync: + init_container: null + shipyard_db_sync: replicas: shipyard: api: 2