RBAC: Update serviceaccount and k8s rbac for shipyard
This patch set brings the shipyard chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: I608d00a69729e347b4121745e80f1e9760e5f6d4
This commit is contained in:
Anthony Lin
parent
706bb69d2d
commit
5db6d42050
@ -17,6 +17,8 @@
|
|||||||
{{- $dependencies := .Values.dependencies.shipyard }}
|
{{- $dependencies := .Values.dependencies.shipyard }}
|
||||||
{{- $mounts_shipyard := .Values.pod.mounts.shipyard.shipyard }}
|
{{- $mounts_shipyard := .Values.pod.mounts.shipyard.shipyard }}
|
||||||
{{- $mounts_shipyard_init := .Values.pod.mounts.shipyard.init_container }}
|
{{- $mounts_shipyard_init := .Values.pod.mounts.shipyard.init_container }}
|
||||||
|
{{- $serviceAccountName := "shipyard" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -33,6 +35,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-shipyard-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-shipyard-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.shipyard.timeout | default "30" }}
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.shipyard.timeout | default "30" }}
|
||||||
|
|||||||
@ -32,7 +32,7 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: airflow-db-init
|
- name: airflow-db-init
|
||||||
image: {{ .Values.images.tags.airflow_db_init | quote }}
|
image: {{ .Values.images.tags.airflow_db_init | quote }}
|
||||||
|
|||||||
@ -32,7 +32,7 @@ spec:
|
|||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: airflow-db-sync
|
- name: airflow-db-sync
|
||||||
image: {{ .Values.images.tags.airflow_db_sync }}
|
image: {{ .Values.images.tags.airflow_db_sync }}
|
||||||
|
|||||||
@ -13,7 +13,9 @@
|
|||||||
{{- if .Values.manifests.job_ks_endpoints }}
|
{{- if .Values.manifests.job_ks_endpoints }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.ks_endpoints }}
|
{{- $dependencies := .Values.dependencies.ks_endpoints }}
|
||||||
|
{{- $serviceAccountName := "shipyard-ks-endpoints" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
@ -24,11 +26,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "shipyard" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "shipyard" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
{{- range $key1, $osServiceType := tuple "shipyard" }}
|
{{- range $key1, $osServiceType := tuple "shipyard" }}
|
||||||
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
|
{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
|
||||||
|
|||||||
@ -15,7 +15,9 @@
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $ksAdminSecret := .Values.secrets.identity.admin }}
|
{{- $ksAdminSecret := .Values.secrets.identity.admin }}
|
||||||
{{- $dependencies := .Values.dependencies.ks_service }}
|
{{- $dependencies := .Values.dependencies.ks_service }}
|
||||||
|
{{- $serviceAccountName := "shipyard-ks-service" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
@ -26,11 +28,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "shipyard" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "shipyard" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
{{- range $key1, $osServiceType := tuple "shipyard" }}
|
{{- range $key1, $osServiceType := tuple "shipyard" }}
|
||||||
- name: {{ $osServiceType }}-ks-service-registration
|
- name: {{ $osServiceType }}-ks-service-registration
|
||||||
|
|||||||
@ -16,6 +16,9 @@
|
|||||||
{{- $ksUserSecret := .Values.secrets.identity.user }}
|
{{- $ksUserSecret := .Values.secrets.identity.user }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.ks_user }}
|
{{- $dependencies := .Values.dependencies.ks_user }}
|
||||||
|
{{- $serviceAccountName := "shipyard-ks-user" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
metadata:
|
metadata:
|
||||||
@ -23,11 +26,12 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: shipyard-ks-user
|
- name: shipyard-ks-user
|
||||||
image: {{ .Values.images.tags.ks_user }}
|
image: {{ .Values.images.tags.ks_user }}
|
||||||
|
|||||||
@ -17,6 +17,10 @@ limitations under the License.
|
|||||||
{{- if .Values.manifests.job_shipyard_db_init }}
|
{{- if .Values.manifests.job_shipyard_db_init }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.shipyard_db_init }}
|
{{- $dependencies := .Values.dependencies.shipyard_db_init }}
|
||||||
|
{{- $mounts_shipyard_db_init := .Values.pod.mounts.shipyard_db_init.shipyard_db_init }}
|
||||||
|
{{- $mounts_shipyard_db_init_init := .Values.pod.mounts.shipyard_db_init.init_container }}
|
||||||
|
{{- $serviceAccountName := "shipyard-db-init" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -28,11 +32,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "shipyard" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "shipyard" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: shipyard-db-init
|
- name: shipyard-db-init
|
||||||
image: {{ .Values.images.tags.shipyard_db_init | quote }}
|
image: {{ .Values.images.tags.shipyard_db_init | quote }}
|
||||||
@ -69,6 +74,7 @@ spec:
|
|||||||
mountPath: /etc/shipyard/shipyard.conf
|
mountPath: /etc/shipyard/shipyard.conf
|
||||||
subPath: shipyard.conf
|
subPath: shipyard.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ if $mounts_shipyard_db_init.volumeMounts }}{{ toYaml $mounts_shipyard_db_init.volumeMounts | indent 10 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: etc-shipyard
|
- name: etc-shipyard
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -80,4 +86,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: shipyard-bin
|
name: shipyard-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{ if $mounts_shipyard_db_init.volumes }}{{ toYaml $mounts_shipyard_db_init.volumes | indent 6 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -17,6 +17,10 @@ limitations under the License.
|
|||||||
{{- if .Values.manifests.job_shipyard_db_sync }}
|
{{- if .Values.manifests.job_shipyard_db_sync }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $dependencies := .Values.dependencies.shipyard_db_sync }}
|
{{- $dependencies := .Values.dependencies.shipyard_db_sync }}
|
||||||
|
{{- $mounts_shipyard_db_sync := .Values.pod.mounts.shipyard_db_sync.shipyard_db_sync }}
|
||||||
|
{{- $mounts_shipyard_db_sync_init := .Values.pod.mounts.shipyard_db_sync.init_container }}
|
||||||
|
{{- $serviceAccountName := "shipyard-db-sync" }}
|
||||||
|
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -28,11 +32,12 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "shipyard" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "shipyard" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
- name: shipyard-db-sync
|
- name: shipyard-db-sync
|
||||||
image: {{ .Values.images.tags.shipyard_db_sync }}
|
image: {{ .Values.images.tags.shipyard_db_sync }}
|
||||||
@ -65,6 +70,7 @@ spec:
|
|||||||
mountPath: /etc/shipyard/shipyard.conf
|
mountPath: /etc/shipyard/shipyard.conf
|
||||||
subPath: shipyard.conf
|
subPath: shipyard.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
{{ if $mounts_shipyard_db_sync.volumeMounts }}{{ toYaml $mounts_shipyard_db_sync.volumeMounts | indent 10 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
- name: etc-shipyard
|
- name: etc-shipyard
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
@ -76,4 +82,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: shipyard-bin
|
name: shipyard-bin
|
||||||
defaultMode: 0555
|
defaultMode: 0555
|
||||||
|
{{ if $mounts_shipyard_db_sync.volumes }}{{ toYaml $mounts_shipyard_db_sync.volumes | indent 6 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -453,6 +453,12 @@ pod:
|
|||||||
shipyard:
|
shipyard:
|
||||||
init_container: null
|
init_container: null
|
||||||
shipyard:
|
shipyard:
|
||||||
|
shipyard_db_init:
|
||||||
|
init_container: null
|
||||||
|
shipyard_db_init:
|
||||||
|
shipyard_db_sync:
|
||||||
|
init_container: null
|
||||||
|
shipyard_db_sync:
|
||||||
replicas:
|
replicas:
|
||||||
shipyard:
|
shipyard:
|
||||||
api: 2
|
api: 2
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user