Merge "RBAC: Consolidate serviceaccounts and restrict rbac"
This commit is contained in:
Zuul
Gerrit Code Review
commit
558ed8cd27
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "calico-etcd"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
||||||
# to force it to run on the master even when the master isn't schedulable, and uses
|
# to force it to run on the master even when the master isn't schedulable, and uses
|
||||||
@ -76,7 +79,6 @@ spec:
|
|||||||
- name: var-etcd
|
- name: var-etcd
|
||||||
mountPath: /var/etcd
|
mountPath: /var/etcd
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: var-etcd
|
- name: var-etcd
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/etcd
|
path: /var/etcd
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "calico-cni-plugin"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
# This manifest installs the calico/node container, as well
|
# This manifest installs the calico/node container, as well
|
||||||
# as the Calico CNI plugins and network config on
|
# as the Calico CNI plugins and network config on
|
||||||
@ -57,7 +60,7 @@ spec:
|
|||||||
# This, along with the annotation above marks this pod as a critical add-on.
|
# This, along with the annotation above marks this pod as a critical add-on.
|
||||||
- key: CriticalAddonsOnly
|
- key: CriticalAddonsOnly
|
||||||
operator: Exists
|
operator: Exists
|
||||||
serviceAccountName: calico-cni-plugin
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
@ -160,7 +163,6 @@ spec:
|
|||||||
- mountPath: /host/etc/cni/net.d
|
- mountPath: /host/etc/cni/net.d
|
||||||
name: cni-net-dir
|
name: cni-net-dir
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
# Used by calico/node.
|
# Used by calico/node.
|
||||||
- name: lib-modules
|
- name: lib-modules
|
||||||
hostPath:
|
hostPath:
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "calico-policy-controller"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
# This manifest deploys the Calico policy controller on Kubernetes.
|
# This manifest deploys the Calico policy controller on Kubernetes.
|
||||||
# See https://github.com/projectcalico/k8s-policy
|
# See https://github.com/projectcalico/k8s-policy
|
||||||
@ -58,7 +61,7 @@ spec:
|
|||||||
# This, along with the annotation above marks this pod as a critical add-on.
|
# This, along with the annotation above marks this pod as a critical add-on.
|
||||||
- key: CriticalAddonsOnly
|
- key: CriticalAddonsOnly
|
||||||
operator: Exists
|
operator: Exists
|
||||||
serviceAccountName: calico-policy-controller
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
@ -80,6 +83,4 @@ spec:
|
|||||||
# kubernetes.default to the correct service clusterIP.
|
# kubernetes.default to the correct service clusterIP.
|
||||||
- name: CONFIGURE_ETC_HOSTS
|
- name: CONFIGURE_ETC_HOSTS
|
||||||
value: "true"
|
value: "true"
|
||||||
volumes:
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "calico-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -53,7 +57,6 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
mountPath: /var/run/docker.sock
|
mountPath: /var/run/docker.sock
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: calico-bin
|
- name: calico-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: calico-bin
|
name: calico-bin
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -114,7 +114,4 @@ manifests:
|
|||||||
daemonset_calico_node: true
|
daemonset_calico_node: true
|
||||||
deployment_calico_policy_controller: true
|
deployment_calico_policy_controller: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service_calico_etcd: true
|
service_calico_etcd: true
|
||||||
serviceaccount_calico_cni_plugin: true
|
|
||||||
serviceaccount_calico_policy_controller: true
|
|
||||||
|
|||||||
@ -14,11 +14,20 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount_calico_cni_plugin }}
|
{{- if .Values.manifests.clusterrolebinding_client }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
{{- $serviceAccountName := "elasticsearch-client"}}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ServiceAccount
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-cni-plugin
|
name: run-elasticsearch-client
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $serviceAccountName }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: elasticsearch-runner
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -14,16 +14,17 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding_data }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
{{- $serviceAccountName := "elasticsearch-data"}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: run-elasticsearch
|
name: run-elasticsearch-data
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: elasticsearch
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- if .Capabilities.APIVersions.Has "batch/v2alpha1" }}
|
{{- if .Capabilities.APIVersions.Has "batch/v2alpha1" }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.curator -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.curator -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "curator"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v2alpha1
|
apiVersion: batch/v2alpha1
|
||||||
kind: CronJob
|
kind: CronJob
|
||||||
@ -32,6 +35,7 @@ spec:
|
|||||||
spec:
|
spec:
|
||||||
template:
|
template:
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
|
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
|
||||||
@ -67,6 +71,5 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: elastic-etc
|
name: elastic-etc
|
||||||
defaultMode: 0444
|
defaultMode: 0444
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 12 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_client -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_client -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "elasticsearch-client"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -37,7 +40,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: elasticsearch
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.client.timeout | default "600" }}
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.client.timeout | default "600" }}
|
||||||
@ -124,7 +127,6 @@ spec:
|
|||||||
- name: storage
|
- name: storage
|
||||||
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: elastic-logs
|
- name: elastic-logs
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: elastic-bin
|
- name: elastic-bin
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_master -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_master -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "elasticsearch-master"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -37,7 +40,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: elasticsearch
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.master.timeout | default "600" }}
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.master.timeout | default "600" }}
|
||||||
@ -118,7 +121,6 @@ spec:
|
|||||||
- name: storage
|
- name: storage
|
||||||
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: elastic-logs
|
- name: elastic-logs
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: elastic-bin
|
- name: elastic-bin
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "elasticsearch-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "elasticsearch" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "elasticsearch" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -40,7 +40,6 @@ spec:
|
|||||||
subPath: helm-tests.sh
|
subPath: helm-tests.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }}
|
|
||||||
- name: elastic-bin
|
- name: elastic-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: elastic-bin
|
name: elastic-bin
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_data -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_data -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "elasticsearch-data"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: StatefulSet
|
kind: StatefulSet
|
||||||
@ -34,7 +37,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: elasticsearch
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.data.timeout | default "600" }}
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.data.timeout | default "600" }}
|
||||||
@ -115,7 +118,6 @@ spec:
|
|||||||
- name: storage
|
- name: storage
|
||||||
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: elastic-logs
|
- name: elastic-logs
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: elastic-bin
|
- name: elastic-bin
|
||||||
|
|||||||
@ -254,7 +254,8 @@ storage:
|
|||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
clusterrole: true
|
clusterrole: true
|
||||||
clusterrolebinding: true
|
clusterrolebinding_client: true
|
||||||
|
clusterrolebinding_data: true
|
||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
configmap_etc: true
|
configmap_etc: true
|
||||||
cron_curator: true
|
cron_curator: true
|
||||||
@ -262,7 +263,6 @@ manifests:
|
|||||||
deployment_master: true
|
deployment_master: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
helm_tests: true
|
helm_tests: true
|
||||||
rbac_entrypoint: true
|
|
||||||
serviceaccount: true
|
serviceaccount: true
|
||||||
service_data: true
|
service_data: true
|
||||||
service_discovery: true
|
service_discovery: true
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "flannel"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
@ -45,7 +48,7 @@ spec:
|
|||||||
- key: node-role.kubernetes.io/master
|
- key: node-role.kubernetes.io/master
|
||||||
operator: Exists
|
operator: Exists
|
||||||
effect: NoSchedule
|
effect: NoSchedule
|
||||||
serviceAccountName: flannel
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
containers:
|
containers:
|
||||||
@ -77,7 +80,6 @@ spec:
|
|||||||
- name: flannel-cfg
|
- name: flannel-cfg
|
||||||
mountPath: /etc/kube-flannel/
|
mountPath: /etc/kube-flannel/
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: run
|
- name: run
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /run
|
path: /run
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "flannel-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "flannel" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "flannel" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -53,7 +57,6 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
mountPath: /var/run/docker.sock
|
mountPath: /var/run/docker.sock
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: flannel-bin
|
- name: flannel-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: flannel-bin
|
name: flannel-bin
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -84,5 +84,4 @@ manifests:
|
|||||||
configmap_kube_flannel_cfg: true
|
configmap_kube_flannel_cfg: true
|
||||||
daemonset_kube_flannel_ds: true
|
daemonset_kube_flannel_ds: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
serviceaccount_flannel: true
|
serviceaccount_flannel: true
|
||||||
|
|||||||
@ -14,11 +14,19 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount_calico_policy_controller }}
|
{{- if .Values.manifests.clusterrolebinding_fluentbit }}
|
||||||
{{- $envAll := . }}
|
{{- $serviceAccountName := "fluentbit"}}
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ServiceAccount
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: calico-policy-controller
|
name: run-fluent-bit-logging
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $serviceAccountName }}
|
||||||
|
namespace: {{ .Release.Namespace }}
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: fluent-logging-runner
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@ -14,14 +14,16 @@ See the License for the specific language governing permissions and
|
|||||||
limitations under the License.
|
limitations under the License.
|
||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding_logging }}
|
||||||
|
{{- $serviceAccountName := "fluentd"}}
|
||||||
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: run-fluent-logging
|
name: run-fluent-logging
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: fluent-logging
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
@ -22,7 +22,11 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentbit -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentbit -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }}
|
{{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "fluentbit"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
@ -37,7 +41,7 @@ spec:
|
|||||||
annotations:
|
annotations:
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: fluent-logging
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.fluentbit.node_selector_key }}: {{ .Values.labels.fluentbit.node_selector_value }}
|
{{ .Values.labels.fluentbit.node_selector_key }}: {{ .Values.labels.fluentbit.node_selector_value }}
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
@ -73,7 +77,6 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
{{ if $mounts_fluentbit.volumeMounts }}{{ toYaml $mounts_fluentbit.volumeMounts | indent 8 }}{{ end }}
|
{{ if $mounts_fluentbit.volumeMounts }}{{ toYaml $mounts_fluentbit.volumeMounts | indent 8 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: varlog
|
- name: varlog
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/log
|
path: /var/log
|
||||||
|
|||||||
@ -21,7 +21,11 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentd -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentd -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }}
|
{{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "fluentd"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -38,7 +42,7 @@ spec:
|
|||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: fluent-logging
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "aggregator" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "aggregator" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -69,7 +73,6 @@ spec:
|
|||||||
readOnly: true
|
readOnly: true
|
||||||
{{- if $mounts_fluentd.volumeMounts }}{{ toYaml $mounts_fluentd.volumeMounts | indent 12 }}{{- end }}
|
{{- if $mounts_fluentd.volumeMounts }}{{ toYaml $mounts_fluentd.volumeMounts | indent 12 }}{{- end }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: pod-etc-fluentd
|
- name: pod-etc-fluentd
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: fluent-logging-etc
|
- name: fluent-logging-etc
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "fluent-logging-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "fluent-logging-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "fluent-logging-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -53,7 +57,6 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
mountPath: /var/run/docker.sock
|
mountPath: /var/run/docker.sock
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: fluent-logging-bin
|
- name: fluent-logging-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: fluent-logging-bin
|
name: fluent-logging-bin
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,22 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: fluent-logging
|
|
||||||
{{- end }}
|
|
||||||
@ -217,14 +217,13 @@ pod:
|
|||||||
fluent_tests:
|
fluent_tests:
|
||||||
|
|
||||||
manifests:
|
manifests:
|
||||||
service_fluentd: true
|
clusterrole: true
|
||||||
|
clusterrolebinding_fluentbit: true
|
||||||
|
clusterrolebinding_logging: true
|
||||||
|
configmap_bin: true
|
||||||
|
configmap_etc: true
|
||||||
deployment_fluentd: true
|
deployment_fluentd: true
|
||||||
daemonset_fluentbit: true
|
daemonset_fluentbit: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
helm_tests: true
|
helm_tests: true
|
||||||
configmap_bin: true
|
service_fluentd: true
|
||||||
configmap_etc: true
|
|
||||||
clusterrole: true
|
|
||||||
clusterrolebinding: true
|
|
||||||
rbac_entrypoint: true
|
|
||||||
serviceaccount: true
|
|
||||||
|
|||||||
@ -18,8 +18,6 @@ limitations under the License.
|
|||||||
{{- $envAll := index . 0 -}}
|
{{- $envAll := index . 0 -}}
|
||||||
{{- $deps := index . 1 -}}
|
{{- $deps := index . 1 -}}
|
||||||
{{- $mounts := index . 2 -}}
|
{{- $mounts := index . 2 -}}
|
||||||
{{- $mountServiceAccount := dict "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" "name" "entrypoint-serviceaccount-secret" "readOnly" true -}}
|
|
||||||
{{- $mountsEntrypoint := append $mounts $mountServiceAccount -}}
|
|
||||||
- name: init
|
- name: init
|
||||||
{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
|
{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
|
||||||
env:
|
env:
|
||||||
@ -48,5 +46,5 @@ limitations under the License.
|
|||||||
command:
|
command:
|
||||||
- kubernetes-entrypoint
|
- kubernetes-entrypoint
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
{{ toYaml $mountsEntrypoint | indent 4 }}
|
{{ toYaml $mounts | indent 4 }}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|||||||
@ -1,86 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_rbac" -}}
|
|
||||||
{{- $envAll := index . 0 -}}
|
|
||||||
{{- $component := $envAll.Release.Name -}}
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
metadata:
|
|
||||||
name: cluster-role-binding-entrypoint-{{ $component }}
|
|
||||||
annotations:
|
|
||||||
# Tiller sorts the execution of resources in the following order:
|
|
||||||
# Secret, ServiceAccount, Role, RoleBinding. The problem is that
|
|
||||||
# this Secret will not be created if ServiceAccount doesn't exist.
|
|
||||||
# The solution is to add pre-install hook so that these are created first.
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cluster-role-entrypoint-{{ $component }}
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: service-account-entrypoint-{{ $component }}
|
|
||||||
namespace: {{ $envAll.Release.Namespace }}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
metadata:
|
|
||||||
name: cluster-role-entrypoint-{{ $component }}
|
|
||||||
annotations:
|
|
||||||
# Tiller sorts the execution of resources in the following order:
|
|
||||||
# Secret, ServiceAccount, Role, RoleBinding. The problem is that
|
|
||||||
# this Secret will not be created if ServiceAccount doesn't exist.
|
|
||||||
# The solution is to add pre-install hook so that these are created first.
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
- extensions
|
|
||||||
- batch
|
|
||||||
- apps
|
|
||||||
resources:
|
|
||||||
- pods
|
|
||||||
- services
|
|
||||||
- jobs
|
|
||||||
- endpoints
|
|
||||||
- daemonsets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: secret-entrypoint-{{ $component }}
|
|
||||||
namespace: {{ $envAll.Release.Namespace }}
|
|
||||||
annotations:
|
|
||||||
kubernetes.io/service-account.name: service-account-entrypoint-{{ $component }}
|
|
||||||
type: kubernetes.io/service-account-token
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: service-account-entrypoint-{{ $component }}
|
|
||||||
namespace: {{ $envAll.Release.Namespace }}
|
|
||||||
annotations:
|
|
||||||
# Tiller sorts the execution of resources in the following order:
|
|
||||||
# Secret, ServiceAccount, Role, RoleBinding. The problem is that
|
|
||||||
# this Secret will not be created if ServiceAccount doesn't exist.
|
|
||||||
# The solution is to add pre-install hook so that these are created first.
|
|
||||||
helm.sh/hook: pre-install
|
|
||||||
{{- end -}}
|
|
||||||
@ -1,24 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" -}}
|
|
||||||
{{- $envAll := index . 0 -}}
|
|
||||||
{{- $component := $envAll.Release.Name -}}
|
|
||||||
- name: entrypoint-serviceaccount-secret
|
|
||||||
secret:
|
|
||||||
secretName: secret-entrypoint-{{ $component }}
|
|
||||||
defaultMode: 420
|
|
||||||
{{- end -}}
|
|
||||||
@ -0,0 +1,68 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
|
||||||
|
{{- $envAll := index . 0 -}}
|
||||||
|
{{- $deps := index . 1 -}}
|
||||||
|
{{- $saName := index . 2 | replace "_" "-" }}
|
||||||
|
{{- $saNamespace := index . 3 -}}
|
||||||
|
{{- $releaseName := $envAll.Release.Name }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: {{ $releaseName }}-{{ $saName }}
|
||||||
|
namespace: {{ $saNamespace }}
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: {{ $saName }}
|
||||||
|
namespace: {{ $saNamespace }}
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
|
||||||
|
namespace: {{ $saNamespace }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
- extensions
|
||||||
|
- batch
|
||||||
|
- apps
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
resources:
|
||||||
|
{{- range $k, $v := $deps -}}
|
||||||
|
{{ if eq $v "daemonsets" }}
|
||||||
|
- daemonsets
|
||||||
|
{{- end -}}
|
||||||
|
{{ if eq $v "jobs" }}
|
||||||
|
- jobs
|
||||||
|
{{- end -}}
|
||||||
|
{{ if or (eq $v "daemonsets") (eq $v "jobs") }}
|
||||||
|
- pods
|
||||||
|
{{- end -}}
|
||||||
|
{{ if eq $v "services" }}
|
||||||
|
- services
|
||||||
|
- endpoints
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
@ -0,0 +1,50 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
|
||||||
|
{{- $envAll := index . 0 -}}
|
||||||
|
{{- $deps := index . 1 -}}
|
||||||
|
{{- $saName := index . 2 -}}
|
||||||
|
{{- $saNamespace := $envAll.Release.Namespace }}
|
||||||
|
{{- $randomKey := randAlphaNum 32 }}
|
||||||
|
{{- $allNamespace := dict $randomKey "" }}
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: {{ $saName }}
|
||||||
|
namespace: {{ $saNamespace }}
|
||||||
|
{{- range $k, $v := $deps -}}
|
||||||
|
{{- if eq $k "services" }}
|
||||||
|
{{- range $serv := $v }}
|
||||||
|
{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
|
||||||
|
{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
|
||||||
|
{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
|
||||||
|
{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- else if eq $k "jobs" }}
|
||||||
|
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
|
||||||
|
{{- else if eq $k "daemonset" }}
|
||||||
|
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- $_ := unset $allNamespace $randomKey }}
|
||||||
|
{{- range $ns, $vv := $allNamespace }}
|
||||||
|
{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
|
||||||
|
{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
@ -187,7 +187,6 @@ spec:
|
|||||||
- effect: NoSchedule
|
- effect: NoSchedule
|
||||||
key: node-role.kubernetes.io/master
|
key: node-role.kubernetes.io/master
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 6 }}
|
|
||||||
- configMap:
|
- configMap:
|
||||||
defaultMode: 420
|
defaultMode: 420
|
||||||
name: kube-dns
|
name: kube-dns
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "kube-dns-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "kube-dns" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "kube-dns" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -84,6 +84,5 @@ manifests:
|
|||||||
configmap_kube_dns: true
|
configmap_kube_dns: true
|
||||||
deployment_kube_dns: true
|
deployment_kube_dns: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service_kube_dns: true
|
service_kube_dns: true
|
||||||
serviceaccount_kube_dns: true
|
serviceaccount_kube_dns: true
|
||||||
|
|||||||
@ -15,13 +15,14 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding }}
|
||||||
|
{{- $serviceAccountName := "nfs-provisioner"}}
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: run-nfs-provisioner
|
name: run-nfs-provisioner
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: nfs-provisioner
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "nfs-provisioner"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
@ -35,7 +38,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: nfs-provisioner
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -83,7 +86,6 @@ spec:
|
|||||||
- name: export-volume
|
- name: export-volume
|
||||||
mountPath: /export
|
mountPath: /export
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: export-volume
|
- name: export-volume
|
||||||
{{- if eq .Values.storage.type "persistentVolumeClaim" }}
|
{{- if eq .Values.storage.type "persistentVolumeClaim" }}
|
||||||
persistentVolumeClaim:
|
persistentVolumeClaim:
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "nfs-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,22 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: nfs-provisioner
|
|
||||||
{{- end }}
|
|
||||||
@ -127,8 +127,6 @@ manifests:
|
|||||||
clusterrolebinding: true
|
clusterrolebinding: true
|
||||||
deployment: true
|
deployment: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service: true
|
service: true
|
||||||
serviceaccount: true
|
|
||||||
storage_class: true
|
storage_class: true
|
||||||
volume_claim: true
|
volume_claim: true
|
||||||
|
|||||||
@ -15,6 +15,8 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding }}
|
||||||
|
{{- $envAll := . }}
|
||||||
|
{{- $serviceAccountName := "alertmanager"}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
@ -22,8 +24,8 @@ metadata:
|
|||||||
name: run-alertmanager
|
name: run-alertmanager
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: alertmanager
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: cluster-admin
|
name: cluster-admin
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "alertmanager-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "alertmanager" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "alertmanager" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,20 +0,0 @@
|
|||||||
|
|
||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,22 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: alertmanager
|
|
||||||
{{- end }}
|
|
||||||
@ -21,8 +21,12 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.alertmanager -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.alertmanager -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- $mounts_alertmanager := .Values.pod.mounts.alertmanager.alertmanager }}
|
{{- $mounts_alertmanager := .Values.pod.mounts.alertmanager.alertmanager }}
|
||||||
{{- $mounts_alertmanager_init := .Values.pod.mounts.alertmanager.init_container }}
|
{{- $mounts_alertmanager_init := .Values.pod.mounts.alertmanager.init_container }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "alertmanager"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: StatefulSet
|
kind: StatefulSet
|
||||||
@ -93,7 +97,6 @@ spec:
|
|||||||
mountPath: /var/lib/alertmanager/data
|
mountPath: /var/lib/alertmanager/data
|
||||||
{{ if $mounts_alertmanager.volumeMounts }}{{ toYaml $mounts_alertmanager.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_alertmanager.volumeMounts }}{{ toYaml $mounts_alertmanager.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: etc-alertmanager
|
- name: etc-alertmanager
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: alertmanager-etc
|
- name: alertmanager-etc
|
||||||
|
|||||||
@ -151,11 +151,9 @@ manifests:
|
|||||||
ingress: true
|
ingress: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
pvc: true
|
pvc: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service: true
|
service: true
|
||||||
service_discovery: true
|
service_discovery: true
|
||||||
service_ingress: true
|
service_ingress: true
|
||||||
serviceaccount: true
|
|
||||||
statefulset: true
|
statefulset: true
|
||||||
|
|
||||||
conf:
|
conf:
|
||||||
|
|||||||
@ -16,6 +16,7 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
{{- $serviceAccountName := "kube-state-metrics"}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
@ -23,8 +24,8 @@ metadata:
|
|||||||
name: run-kube-state-metrics
|
name: run-kube-state-metrics
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: kube-state-metrics
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: kube-state-metrics-runner
|
name: kube-state-metrics-runner
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "kube-state-metrics"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -34,7 +37,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: kube-state-metrics
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kube_state_metrics.timeout | default "30" }}
|
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kube_state_metrics.timeout | default "30" }}
|
||||||
@ -47,6 +50,4 @@ spec:
|
|||||||
ports:
|
ports:
|
||||||
- name: metrics
|
- name: metrics
|
||||||
containerPort: {{ .Values.network.kube_state_metrics.port }}
|
containerPort: {{ .Values.network.kube_state_metrics.port }}
|
||||||
volumes:
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "kube-metrics-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "kube-metrics" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "kube-metrics" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,20 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,24 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: kube-state-metrics
|
|
||||||
{{- end }}
|
|
||||||
@ -142,7 +142,6 @@ manifests:
|
|||||||
clusterrolebinding: true
|
clusterrolebinding: true
|
||||||
deployment: true
|
deployment: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service_kube_metrics: true
|
service_kube_metrics: true
|
||||||
service_controller_manager: true
|
service_controller_manager: true
|
||||||
service_scheduler: true
|
service_scheduler: true
|
||||||
|
|||||||
@ -16,6 +16,7 @@ limitations under the License.
|
|||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding }}
|
||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
|
{{- $serviceAccountName := "node-exporter"}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
@ -23,7 +24,7 @@ metadata:
|
|||||||
name: run-node-exporter
|
name: run-node-exporter
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: node-exporter
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "node-exporter"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
@ -35,7 +38,7 @@ spec:
|
|||||||
{{ tuple $envAll "node_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "node_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
namespace: {{ .Values.endpoints.node_metrics.namespace }}
|
namespace: {{ .Values.endpoints.node_metrics.namespace }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: node-exporter
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
@ -58,7 +61,6 @@ spec:
|
|||||||
mountPath: /host/sys
|
mountPath: /host/sys
|
||||||
readOnly: true
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: proc
|
- name: proc
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /proc
|
path: /proc
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "node-exporter-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "node-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "node-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,20 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,24 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: node-exporter
|
|
||||||
{{- end }}
|
|
||||||
@ -131,6 +131,4 @@ manifests:
|
|||||||
clusterrolebinding: true
|
clusterrolebinding: true
|
||||||
daemonset: true
|
daemonset: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service: true
|
service: true
|
||||||
serviceaccount: true
|
|
||||||
|
|||||||
@ -16,6 +16,7 @@ limitations under the License.
|
|||||||
*/}}
|
*/}}
|
||||||
|
|
||||||
{{- if .Values.manifests.clusterrolebinding }}
|
{{- if .Values.manifests.clusterrolebinding }}
|
||||||
|
{{- $serviceAccountName := "prometheus"}}
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
@ -23,7 +24,7 @@ metadata:
|
|||||||
name: run-prometheus
|
name: run-prometheus
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: prometheus
|
name: {{ $serviceAccountName }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Release.Namespace }}
|
||||||
roleRef:
|
roleRef:
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "prometheus-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "prometheus" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "prometheus" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -40,7 +40,6 @@ spec:
|
|||||||
subPath: helm-tests.sh
|
subPath: helm-tests.sh
|
||||||
readOnly: true
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }}
|
|
||||||
- name: prometheus-bin
|
- name: prometheus-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: prometheus-bin
|
name: prometheus-bin
|
||||||
|
|||||||
@ -1,20 +0,0 @@
|
|||||||
|
|
||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,22 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount }}
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: prometheus
|
|
||||||
{{- end }}
|
|
||||||
@ -21,8 +21,12 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.prometheus -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.prometheus -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }}
|
{{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }}
|
||||||
{{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }}
|
{{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "prometheus"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: StatefulSet
|
kind: StatefulSet
|
||||||
@ -40,7 +44,7 @@ spec:
|
|||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-rules-hash: {{ tuple "configmap-rules.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-rules-hash: {{ tuple "configmap-rules.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
serviceAccount: prometheus
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "prometheus" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "prometheus" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -131,7 +135,6 @@ spec:
|
|||||||
mountPath: /var/lib/prometheus/data
|
mountPath: /var/lib/prometheus/data
|
||||||
{{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
|
{{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: etcprometheus
|
- name: etcprometheus
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
- name: rulesprometheus
|
- name: rulesprometheus
|
||||||
|
|||||||
@ -176,10 +176,8 @@ manifests:
|
|||||||
helm_tests: true
|
helm_tests: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
pvc: true
|
pvc: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service_ingress_prometheus: true
|
service_ingress_prometheus: true
|
||||||
service: true
|
service: true
|
||||||
serviceaccount: true
|
|
||||||
statefulset_prometheus: true
|
statefulset_prometheus: true
|
||||||
|
|
||||||
conf:
|
conf:
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.redis -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.redis -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "redis"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -34,6 +37,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -53,6 +57,4 @@ spec:
|
|||||||
readinessProbe:
|
readinessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: {{ .Values.network.port }}
|
port: {{ .Values.network.port }}
|
||||||
volumes:
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "redis-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "redis" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "redis" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -106,5 +106,4 @@ manifests:
|
|||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
deployment: true
|
deployment: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service: true
|
service: true
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry_proxy -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry_proxy -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "docker-registry-proxy"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
@ -35,6 +38,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
@ -57,7 +61,6 @@ spec:
|
|||||||
subPath: default.conf
|
subPath: default.conf
|
||||||
readOnly: true
|
readOnly: true
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: registry-bin
|
- name: registry-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: registry-bin
|
name: registry-bin
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "docker-registry"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1beta1
|
apiVersion: apps/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -37,6 +40,7 @@ spec:
|
|||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
affinity:
|
affinity:
|
||||||
{{ tuple $envAll "docker" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
{{ tuple $envAll "docker" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -64,7 +68,6 @@ spec:
|
|||||||
- name: docker-images
|
- name: docker-images
|
||||||
mountPath: {{ .Values.conf.registry.storage.filesystem.rootdirectory }}
|
mountPath: {{ .Values.conf.registry.storage.filesystem.rootdirectory }}
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: registry-bin
|
- name: registry-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: registry-bin
|
name: registry-bin
|
||||||
|
|||||||
@ -22,6 +22,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.bootstrap -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.bootstrap -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "docker-bootstrap"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -33,6 +36,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "docker" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "docker" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -57,7 +61,6 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
mountPath: /var/run/docker.sock
|
mountPath: /var/run/docker.sock
|
||||||
volumes:
|
volumes:
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
- name: registry-bin
|
- name: registry-bin
|
||||||
configMap:
|
configMap:
|
||||||
name: registry-bin
|
name: registry-bin
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -179,5 +179,4 @@ manifests:
|
|||||||
job_bootstrap: true
|
job_bootstrap: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
pvc_images: true
|
pvc_images: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service_registry: true
|
service_registry: true
|
||||||
|
|||||||
@ -21,6 +21,9 @@ limitations under the License.
|
|||||||
{{- else -}}
|
{{- else -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "tiller"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: extensions/v1beta1
|
apiVersion: extensions/v1beta1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@ -87,9 +90,7 @@ spec:
|
|||||||
restartPolicy: Always
|
restartPolicy: Always
|
||||||
schedulerName: default-scheduler
|
schedulerName: default-scheduler
|
||||||
securityContext: {}
|
securityContext: {}
|
||||||
serviceAccount: tiller
|
serviceAccount: {{ $serviceAccountName }}
|
||||||
serviceAccountName: tiller
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
terminationGracePeriodSeconds: 30
|
terminationGracePeriodSeconds: 30
|
||||||
volumes:
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -18,6 +18,9 @@ limitations under the License.
|
|||||||
{{- $envAll := . }}
|
{{- $envAll := . }}
|
||||||
{{- if .Values.images.local_registry.active -}}
|
{{- if .Values.images.local_registry.active -}}
|
||||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||||
|
|
||||||
|
{{- $serviceAccountName := "kube-dns-image-repo-sync"}}
|
||||||
|
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||||
---
|
---
|
||||||
apiVersion: batch/v1
|
apiVersion: batch/v1
|
||||||
kind: Job
|
kind: Job
|
||||||
@ -29,6 +32,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "tiller" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "tiller" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
spec:
|
spec:
|
||||||
|
serviceAccountName: {{ $serviceAccountName }}
|
||||||
restartPolicy: OnFailure
|
restartPolicy: OnFailure
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||||
@ -60,6 +64,5 @@ spec:
|
|||||||
- name: docker-socket
|
- name: docker-socket
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /var/run/docker.sock
|
path: /var/run/docker.sock
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
@ -1,19 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.rbac_entrypoint }}
|
|
||||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
|
||||||
{{- end }}
|
|
||||||
@ -1,24 +0,0 @@
|
|||||||
{{/*
|
|
||||||
Copyright 2017 The Openstack-Helm Authors.
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
||||||
*/}}
|
|
||||||
|
|
||||||
{{- if .Values.manifests.serviceaccount_tiller }}
|
|
||||||
{{- $envAll := . }}
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: tiller
|
|
||||||
{{- end }}
|
|
||||||
@ -83,6 +83,4 @@ manifests:
|
|||||||
configmap_bin: true
|
configmap_bin: true
|
||||||
deployment_tiller: true
|
deployment_tiller: true
|
||||||
job_image_repo_sync: true
|
job_image_repo_sync: true
|
||||||
rbac_entrypoint: true
|
|
||||||
service_tiller_deploy: true
|
service_tiller_deploy: true
|
||||||
serviceaccount_tiller: true
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user