119 lines
3.8 KiB
YAML
119 lines
3.8 KiB
YAML
{{/*
|
|
Copyright 2019 The Openstack-Helm Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{/*
|
|
Enabling this manifest enables the usage of a ServiceAccount with
|
|
readonly permissions for Sonobuoy plugins that mount the created
|
|
token.
|
|
|
|
To use this readonly ServiceAccount mount the ServiceAccountToken in
|
|
`values.yaml` like:
|
|
|
|
```
|
|
conf:
|
|
plugins:
|
|
- name: plugin-needing-readonly.yaml
|
|
data: |
|
|
sonobuoy-config:
|
|
driver: Job
|
|
plugin-name: plugin-needing-readonly
|
|
result-type: plugin-needing-readonly
|
|
spec:
|
|
name: plugin-needing-readonly
|
|
image: "plugin-needing-readonly:latest"
|
|
imagePullPolicy: "IfNotPresent"
|
|
volumeMounts:
|
|
- mountPath: /tmp/results
|
|
name: results
|
|
readOnly: false
|
|
- name: readonly-token
|
|
# It's recommended to use this mountPath to overwrite the
|
|
# Sonobuoy service account credentials that are mounted
|
|
# by default in the plugin containers to prevent plugins
|
|
# from accidentally using credentials with full permissions.
|
|
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
|
|
extra-volumes:
|
|
- name: readonly-token
|
|
secret:
|
|
secretName: sonobuoy-readonly-serviceaccount-token-secret
|
|
```
|
|
|
|
After mounting the readonly token, the example at
|
|
https://github.com/kubernetes-client/python/tree/3fb2be14e18d84edef094bbd908b6bb3e39aafe6#example
|
|
may be referenced to list pods, etc.
|
|
*/}}
|
|
|
|
{{- if .Values.manifests.serviceaccount_readonly }}
|
|
{{- $envAll := . }}
|
|
|
|
{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }}
|
|
{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: sonobuoy-readonly-clusterrole
|
|
rules:
|
|
- apiGroups:
|
|
- "*"
|
|
resources:
|
|
- "*"
|
|
verbs:
|
|
- "get"
|
|
- "list"
|
|
- "watch"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: sonobuoy-readonly-clusterrolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: sonobuoy-readonly-clusterrole
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: kubernetes.io/service-account-token
|
|
metadata:
|
|
name: {{ $serviceAccountName }}-token-secret
|
|
namespace: {{ .Release.Namespace }}
|
|
annotations:
|
|
kubernetes.io/service-account.name: {{ $serviceAccountName }}
|
|
{{/*
|
|
post-install hook is required to cause ServiceAccount to be deployed
|
|
before creating a secret token for it. By default helm deploys secrets
|
|
before ServiceAccounts which causes this secret to not exist since the
|
|
ServiceAccount is missing.
|
|
post-upgrade hook is required when upgrading from a previous version of
|
|
this chart that did not have this secret.
|
|
*/}}
|
|
"helm.sh/hook": "post-install,post-upgrade"
|
|
{{/*
|
|
before--hook-creation hook is required for sequential upgrades. Tiller
|
|
does not keep track of resources installed via post-{install,upgrade} hooks,
|
|
this causes an "Already exists" error when upgrading without this hook. With
|
|
this hook, this secret will be deleted before upgrading, which will then install
|
|
this resource.
|
|
*/}}
|
|
"helm.sh/hook-delete-policy": "before-hook-creation"
|
|
---
|
|
{{- end }}
|