openstack
/
openstack-helm-addons
Code Issues Proposed changes
openstack-helm-addons/sonobuoy/templates/serviceaccount-readonly.yaml

119 lines
3.8 KiB
YAML
Raw Blame History

{{/*
Copyright 2019 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{/*
Enabling this manifest enables the usage of a ServiceAccount with
readonly permissions for Sonobuoy plugins that mount the created
token.
To use this readonly ServiceAccount mount the ServiceAccountToken in
`values.yaml` like:
```
conf:
plugins:
- name: plugin-needing-readonly.yaml
data: |
sonobuoy-config:
driver: Job
plugin-name: plugin-needing-readonly
result-type: plugin-needing-readonly
spec:
name: plugin-needing-readonly
image: "plugin-needing-readonly:latest"
imagePullPolicy: "IfNotPresent"
volumeMounts:
- mountPath: /tmp/results
name: results
readOnly: false
- name: readonly-token
# It's recommended to use this mountPath to overwrite the
# Sonobuoy service account credentials that are mounted
# by default in the plugin containers to prevent plugins
# from accidentally using credentials with full permissions.
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
extra-volumes:
- name: readonly-token
secret:
secretName: sonobuoy-readonly-serviceaccount-token-secret
```
After mounting the readonly token, the example at
https://github.com/kubernetes-client/python/tree/3fb2be14e18d84edef094bbd908b6bb3e39aafe6#example
may be referenced to list pods, etc.
*/}}
{{- if .Values.manifests.serviceaccount_readonly }}
{{- $envAll := . }}
{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }}
{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sonobuoy-readonly-clusterrole
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sonobuoy-readonly-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sonobuoy-readonly-clusterrole
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: {{ $serviceAccountName }}-token-secret
namespace: {{ .Release.Namespace }}
annotations:
kubernetes.io/service-account.name: {{ $serviceAccountName }}
{{/*
post-install hook is required to cause ServiceAccount to be deployed
before creating a secret token for it. By default helm deploys secrets
before ServiceAccounts which causes this secret to not exist since the
ServiceAccount is missing.
post-upgrade hook is required when upgrading from a previous version of
this chart that did not have this secret.
*/}}
"helm.sh/hook": "post-install,post-upgrade"
{{/*
before--hook-creation hook is required for sequential upgrades. Tiller
does not keep track of resources installed via post-{install,upgrade} hooks,
this causes an "Already exists" error when upgrading without this hook. With
this hook, this secret will be deleted before upgrading, which will then install
this resource.
*/}}
"helm.sh/hook-delete-policy": "before-hook-creation"
---
{{- end }}
View Git Blame Copy Permalink