diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml index d048f949a..bb7d4e096 100644 --- a/calico/templates/daemonset-calico-etcd.yaml +++ b/calico/templates/daemonset-calico-etcd.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}} {{- end -}} + +{{- $serviceAccountName := "calico-etcd"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet # to force it to run on the master even when the master isn't schedulable, and uses @@ -76,7 +79,6 @@ spec: - name: var-etcd mountPath: /var/etcd volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: var-etcd hostPath: path: /var/etcd diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml index 31e9b7965..e79a59a50 100644 --- a/calico/templates/daemonset-calico-node.yaml +++ b/calico/templates/daemonset-calico-node.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}} {{- end -}} + +{{- $serviceAccountName := "calico-cni-plugin"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on @@ -57,7 +60,7 @@ spec: # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists - serviceAccountName: calico-cni-plugin + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: @@ -160,7 +163,6 @@ spec: - mountPath: /host/etc/cni/net.d name: cni-net-dir volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} # Used by calico/node. - name: lib-modules hostPath: diff --git a/calico/templates/deployment-calico-policy-controller.yaml b/calico/templates/deployment-calico-policy-controller.yaml index 2fe0b4d49..ecb1c27f5 100644 --- a/calico/templates/deployment-calico-policy-controller.yaml +++ b/calico/templates/deployment-calico-policy-controller.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}} {{- end -}} + +{{- $serviceAccountName := "calico-policy-controller"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- # This manifest deploys the Calico policy controller on Kubernetes. # See https://github.com/projectcalico/k8s-policy @@ -58,7 +61,7 @@ spec: # This, along with the annotation above marks this pod as a critical add-on. - key: CriticalAddonsOnly operator: Exists - serviceAccountName: calico-policy-controller + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: @@ -80,6 +83,4 @@ spec: # kubernetes.default to the correct service clusterIP. - name: CONFIGURE_ETC_HOSTS value: "true" - volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} diff --git a/calico/templates/job-image-repo-sync.yaml b/calico/templates/job-image-repo-sync.yaml index 6b5e664f1..afd26fd43 100644 --- a/calico/templates/job-image-repo-sync.yaml +++ b/calico/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "calico-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -53,7 +57,6 @@ spec: - name: docker-socket mountPath: /var/run/docker.sock volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: calico-bin configMap: name: calico-bin diff --git a/calico/templates/rbac-entrypoint.yaml b/calico/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/calico/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/calico/values.yaml b/calico/values.yaml index ccdc80f09..250df7efe 100644 --- a/calico/values.yaml +++ b/calico/values.yaml @@ -114,7 +114,4 @@ manifests: daemonset_calico_node: true deployment_calico_policy_controller: true job_image_repo_sync: true - rbac_entrypoint: true service_calico_etcd: true - serviceaccount_calico_cni_plugin: true - serviceaccount_calico_policy_controller: true diff --git a/calico/templates/serviceaccount-calico-cni-plugin.yaml b/elasticsearch/templates/clusterrolebinding-client.yaml similarity index 59% rename from calico/templates/serviceaccount-calico-cni-plugin.yaml rename to elasticsearch/templates/clusterrolebinding-client.yaml index f055437c3..5ead5090e 100644 --- a/calico/templates/serviceaccount-calico-cni-plugin.yaml +++ b/elasticsearch/templates/clusterrolebinding-client.yaml @@ -14,11 +14,20 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.serviceaccount_calico_cni_plugin }} +{{- if .Values.manifests.clusterrolebinding_client }} {{- $envAll := . }} +{{- $serviceAccountName := "elasticsearch-client"}} --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding metadata: - name: calico-cni-plugin + name: run-elasticsearch-client +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: elasticsearch-runner + apiGroup: rbac.authorization.k8s.io {{- end }} diff --git a/elasticsearch/templates/clusterrolebinding.yaml b/elasticsearch/templates/clusterrolebinding-data.yaml similarity index 83% rename from elasticsearch/templates/clusterrolebinding.yaml rename to elasticsearch/templates/clusterrolebinding-data.yaml index 7eba51e2c..eebf62bff 100644 --- a/elasticsearch/templates/clusterrolebinding.yaml +++ b/elasticsearch/templates/clusterrolebinding-data.yaml @@ -14,16 +14,17 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.clusterrolebinding }} +{{- if .Values.manifests.clusterrolebinding_data }} {{- $envAll := . }} +{{- $serviceAccountName := "elasticsearch-data"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: run-elasticsearch + name: run-elasticsearch-data subjects: - kind: ServiceAccount - name: elasticsearch + name: {{ $serviceAccountName }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/elasticsearch/templates/configmap-etc.yaml b/elasticsearch/templates/configmap-etc.yaml index 9fd248eea..e5c8dd6ea 100644 --- a/elasticsearch/templates/configmap-etc.yaml +++ b/elasticsearch/templates/configmap-etc.yaml @@ -26,8 +26,8 @@ data: {{- tuple .Values.conf.elasticsearch "etc/_elasticsearch.yml.tpl" . | include "helm-toolkit.utils.configmap_templater" }} log4j2.properties: |+ {{- tuple .Values.conf.elasticsearch "etc/_log4j2.properties.tpl" . | include "helm-toolkit.utils.configmap_templater" }} - action_file.yml: + action_file.yml: |- {{ toYaml .Values.conf.curator.action_file | indent 4 }} - config.yml: + config.yml: |- {{ toYaml .Values.conf.curator.config | indent 4 }} {{- end }} diff --git a/elasticsearch/templates/cron-job-curator.yaml b/elasticsearch/templates/cron-job-curator.yaml index 73b2786fb..72878d1b7 100644 --- a/elasticsearch/templates/cron-job-curator.yaml +++ b/elasticsearch/templates/cron-job-curator.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- if .Capabilities.APIVersions.Has "batch/v2alpha1" }} {{- $envAll := . }} {{- $_ := set .Values "pod_dependency" .Values.dependencies.curator -}} + +{{- $serviceAccountName := "curator"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v2alpha1 kind: CronJob @@ -32,6 +35,7 @@ spec: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure initContainers: {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} @@ -67,6 +71,5 @@ spec: configMap: name: elastic-etc defaultMode: 0444 -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 12 }} {{- end }} {{- end }} diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index ce6782e63..c871e2280 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_client -}} {{- end -}} + +{{- $serviceAccountName := "elasticsearch-client"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: Deployment @@ -37,7 +40,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - serviceAccount: elasticsearch + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.client.timeout | default "600" }} @@ -124,7 +127,6 @@ spec: - name: storage mountPath: {{ .Values.conf.elasticsearch.path.data }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: elastic-logs emptyDir: {} - name: elastic-bin diff --git a/elasticsearch/templates/deployment-master.yaml b/elasticsearch/templates/deployment-master.yaml index b52c1ae0f..a67abfcd8 100644 --- a/elasticsearch/templates/deployment-master.yaml +++ b/elasticsearch/templates/deployment-master.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_master -}} {{- end -}} + +{{- $serviceAccountName := "elasticsearch-master"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: Deployment @@ -37,7 +40,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - serviceAccount: elasticsearch + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.master.timeout | default "600" }} @@ -118,7 +121,6 @@ spec: - name: storage mountPath: {{ .Values.conf.elasticsearch.path.data }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: elastic-logs emptyDir: {} - name: elastic-bin diff --git a/elasticsearch/templates/job-image-repo-sync.yaml b/elasticsearch/templates/job-image-repo-sync.yaml index e85f48aec..0d75d6d19 100644 --- a/elasticsearch/templates/job-image-repo-sync.yaml +++ b/elasticsearch/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "elasticsearch-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "elasticsearch" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/elasticsearch/templates/pod-helm-tests.yaml b/elasticsearch/templates/pod-helm-tests.yaml index cfd208095..645655dd6 100644 --- a/elasticsearch/templates/pod-helm-tests.yaml +++ b/elasticsearch/templates/pod-helm-tests.yaml @@ -40,7 +40,6 @@ spec: subPath: helm-tests.sh readOnly: true volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }} - name: elastic-bin configMap: name: elastic-bin diff --git a/elasticsearch/templates/rbac-entrypoint.yaml b/elasticsearch/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/elasticsearch/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml index 172f48deb..c998ff3ef 100644 --- a/elasticsearch/templates/statefulset-data.yaml +++ b/elasticsearch/templates/statefulset-data.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_data -}} {{- end -}} + +{{- $serviceAccountName := "elasticsearch-data"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -34,7 +37,7 @@ spec: labels: {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: - serviceAccount: elasticsearch + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.data.timeout | default "600" }} @@ -115,7 +118,6 @@ spec: - name: storage mountPath: {{ .Values.conf.elasticsearch.path.data }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: elastic-logs emptyDir: {} - name: elastic-bin diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 81bf79629..a0a1349ab 100644 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -133,9 +133,9 @@ conf: init: max_map_count: 262144 curator: - schedule: 1 0 * * * - action_file: | - --- + #runs weekly + schedule: "0 0 * * 0" + action_file: # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" # @@ -161,8 +161,7 @@ conf: stats_result: epoch: exclude: False - config: | - --- + config: # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" client: @@ -255,7 +254,8 @@ storage: manifests: clusterrole: true - clusterrolebinding: true + clusterrolebinding_client: true + clusterrolebinding_data: true configmap_bin: true configmap_etc: true cron_curator: true @@ -263,7 +263,6 @@ manifests: deployment_master: true job_image_repo_sync: true helm_tests: true - rbac_entrypoint: true serviceaccount: true service_data: true service_discovery: true diff --git a/flannel/templates/daemonset-kube-flannel-ds.yaml b/flannel/templates/daemonset-kube-flannel-ds.yaml index 0a2303c40..63f6031b1 100644 --- a/flannel/templates/daemonset-kube-flannel-ds.yaml +++ b/flannel/templates/daemonset-kube-flannel-ds.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}} {{- end -}} + +{{- $serviceAccountName := "flannel"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -45,7 +48,7 @@ spec: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule - serviceAccountName: flannel + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: @@ -77,7 +80,6 @@ spec: - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: run hostPath: path: /run diff --git a/flannel/templates/job-image-repo-sync.yaml b/flannel/templates/job-image-repo-sync.yaml index 36f38429d..012ec8940 100644 --- a/flannel/templates/job-image-repo-sync.yaml +++ b/flannel/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "flannel-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "flannel" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -53,7 +57,6 @@ spec: - name: docker-socket mountPath: /var/run/docker.sock volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: flannel-bin configMap: name: flannel-bin diff --git a/flannel/templates/rbac-entrypoint.yaml b/flannel/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/flannel/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/flannel/values.yaml b/flannel/values.yaml index f38b3f0b5..7f9e8b761 100644 --- a/flannel/values.yaml +++ b/flannel/values.yaml @@ -84,5 +84,4 @@ manifests: configmap_kube_flannel_cfg: true daemonset_kube_flannel_ds: true job_image_repo_sync: true - rbac_entrypoint: true serviceaccount_flannel: true diff --git a/calico/templates/serviceaccount-calico-policy-controller.yaml b/fluent-logging/templates/clusterrolebinding-fluentbit.yaml similarity index 59% rename from calico/templates/serviceaccount-calico-policy-controller.yaml rename to fluent-logging/templates/clusterrolebinding-fluentbit.yaml index 19912fb59..a389805e1 100644 --- a/calico/templates/serviceaccount-calico-policy-controller.yaml +++ b/fluent-logging/templates/clusterrolebinding-fluentbit.yaml @@ -14,11 +14,19 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.serviceaccount_calico_policy_controller }} -{{- $envAll := . }} +{{- if .Values.manifests.clusterrolebinding_fluentbit }} +{{- $serviceAccountName := "fluentbit"}} --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding metadata: - name: calico-policy-controller + name: run-fluent-bit-logging +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: fluent-logging-runner + apiGroup: rbac.authorization.k8s.io {{- end }} diff --git a/fluent-logging/templates/clusterrolebinding.yaml b/fluent-logging/templates/clusterrolebinding-logging.yaml similarity index 86% rename from fluent-logging/templates/clusterrolebinding.yaml rename to fluent-logging/templates/clusterrolebinding-logging.yaml index 4d8f32005..7dc1cafe5 100644 --- a/fluent-logging/templates/clusterrolebinding.yaml +++ b/fluent-logging/templates/clusterrolebinding-logging.yaml @@ -14,14 +14,16 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.clusterrolebinding }} +{{- if .Values.manifests.clusterrolebinding_logging }} +{{- $serviceAccountName := "fluentd"}} +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: run-fluent-logging subjects: - kind: ServiceAccount - name: fluent-logging + name: {{ $serviceAccountName }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/fluent-logging/templates/daemonset-fluent-bit.yaml b/fluent-logging/templates/daemonset-fluent-bit.yaml index 2d95ae41b..5a86f2a3c 100644 --- a/fluent-logging/templates/daemonset-fluent-bit.yaml +++ b/fluent-logging/templates/daemonset-fluent-bit.yaml @@ -22,7 +22,11 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentbit -}} {{- end -}} + {{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }} + +{{- $serviceAccountName := "fluentbit"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -37,7 +41,7 @@ spec: annotations: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - serviceAccount: fluent-logging + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.fluentbit.node_selector_key }}: {{ .Values.labels.fluentbit.node_selector_value }} hostNetwork: true @@ -73,7 +77,6 @@ spec: readOnly: true {{ if $mounts_fluentbit.volumeMounts }}{{ toYaml $mounts_fluentbit.volumeMounts | indent 8 }}{{ end }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: varlog hostPath: path: /var/log diff --git a/fluent-logging/templates/deployment-fluentd.yaml b/fluent-logging/templates/deployment-fluentd.yaml index 4bc84ac8a..0d9c18407 100644 --- a/fluent-logging/templates/deployment-fluentd.yaml +++ b/fluent-logging/templates/deployment-fluentd.yaml @@ -21,7 +21,11 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentd -}} {{- end -}} + {{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }} + +{{- $serviceAccountName := "fluentd"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: Deployment @@ -38,7 +42,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: - serviceAccount: fluent-logging + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "aggregator" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -69,7 +73,6 @@ spec: readOnly: true {{- if $mounts_fluentd.volumeMounts }}{{ toYaml $mounts_fluentd.volumeMounts | indent 12 }}{{- end }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: pod-etc-fluentd emptyDir: {} - name: fluent-logging-etc diff --git a/fluent-logging/templates/job-image-repo-sync.yaml b/fluent-logging/templates/job-image-repo-sync.yaml index 741d93616..9c74f366e 100644 --- a/fluent-logging/templates/job-image-repo-sync.yaml +++ b/fluent-logging/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "fluent-logging-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "fluent-logging-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -53,7 +57,6 @@ spec: - name: docker-socket mountPath: /var/run/docker.sock volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: fluent-logging-bin configMap: name: fluent-logging-bin diff --git a/fluent-logging/templates/rbac-entrypoint.yaml b/fluent-logging/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/fluent-logging/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/fluent-logging/templates/serviceaccount.yaml b/fluent-logging/templates/serviceaccount.yaml deleted file mode 100644 index 8d09a19c1..000000000 --- a/fluent-logging/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: fluent-logging -{{- end }} diff --git a/fluent-logging/values.yaml b/fluent-logging/values.yaml index 995c011fd..2a05a66c6 100644 --- a/fluent-logging/values.yaml +++ b/fluent-logging/values.yaml @@ -217,14 +217,13 @@ pod: fluent_tests: manifests: - service_fluentd: true + clusterrole: true + clusterrolebinding_fluentbit: true + clusterrolebinding_logging: true + configmap_bin: true + configmap_etc: true deployment_fluentd: true daemonset_fluentbit: true job_image_repo_sync: true helm_tests: true - configmap_bin: true - configmap_etc: true - clusterrole: true - clusterrolebinding: true - rbac_entrypoint: true - serviceaccount: true + service_fluentd: true diff --git a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl index 234bc94da..669daf02e 100644 --- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl +++ b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl @@ -18,8 +18,6 @@ limitations under the License. {{- $envAll := index . 0 -}} {{- $deps := index . 1 -}} {{- $mounts := index . 2 -}} -{{- $mountServiceAccount := dict "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" "name" "entrypoint-serviceaccount-secret" "readOnly" true -}} -{{- $mountsEntrypoint := append $mounts $mountServiceAccount -}} - name: init {{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }} env: @@ -48,5 +46,5 @@ limitations under the License. command: - kubernetes-entrypoint volumeMounts: -{{ toYaml $mountsEntrypoint | indent 4 }} +{{ toYaml $mounts | indent 4 }} {{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_rbac.tpl b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_rbac.tpl deleted file mode 100644 index 6c6516246..000000000 --- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_rbac.tpl +++ /dev/null @@ -1,86 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- define "helm-toolkit.snippets.kubernetes_entrypoint_rbac" -}} -{{- $envAll := index . 0 -}} -{{- $component := $envAll.Release.Name -}} ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: cluster-role-binding-entrypoint-{{ $component }} - annotations: - # Tiller sorts the execution of resources in the following order: - # Secret, ServiceAccount, Role, RoleBinding. The problem is that - # this Secret will not be created if ServiceAccount doesn't exist. - # The solution is to add pre-install hook so that these are created first. - helm.sh/hook: pre-install -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-role-entrypoint-{{ $component }} -subjects: - - kind: ServiceAccount - name: service-account-entrypoint-{{ $component }} - namespace: {{ $envAll.Release.Namespace }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: cluster-role-entrypoint-{{ $component }} - annotations: - # Tiller sorts the execution of resources in the following order: - # Secret, ServiceAccount, Role, RoleBinding. The problem is that - # this Secret will not be created if ServiceAccount doesn't exist. - # The solution is to add pre-install hook so that these are created first. - helm.sh/hook: pre-install -rules: - - apiGroups: - - "" - - extensions - - batch - - apps - resources: - - pods - - services - - jobs - - endpoints - - daemonsets - verbs: - - get - - list ---- -apiVersion: v1 -kind: Secret -metadata: - name: secret-entrypoint-{{ $component }} - namespace: {{ $envAll.Release.Namespace }} - annotations: - kubernetes.io/service-account.name: service-account-entrypoint-{{ $component }} -type: kubernetes.io/service-account-token ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: service-account-entrypoint-{{ $component }} - namespace: {{ $envAll.Release.Namespace }} - annotations: - # Tiller sorts the execution of resources in the following order: - # Secret, ServiceAccount, Role, RoleBinding. The problem is that - # this Secret will not be created if ServiceAccount doesn't exist. - # The solution is to add pre-install hook so that these are created first. - helm.sh/hook: pre-install -{{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_secret_mount.tpl b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_secret_mount.tpl deleted file mode 100644 index 405c4b206..000000000 --- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_secret_mount.tpl +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- define "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" -}} -{{- $envAll := index . 0 -}} -{{- $component := $envAll.Release.Name -}} -- name: entrypoint-serviceaccount-secret - secret: - secretName: secret-entrypoint-{{ $component }} - defaultMode: 420 -{{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl new file mode 100644 index 000000000..0f4621b0a --- /dev/null +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl @@ -0,0 +1,68 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 | replace "_" "-" }} +{{- $saNamespace := index . 3 -}} +{{- $releaseName := $envAll.Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $releaseName }}-{{ $saName }} + namespace: {{ $saNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} +subjects: + - kind: ServiceAccount + name: {{ $saName }} + namespace: {{ $saNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} + namespace: {{ $saNamespace }} +rules: + - apiGroups: + - "" + - extensions + - batch + - apps + verbs: + - get + - list + resources: + {{- range $k, $v := $deps -}} + {{ if eq $v "daemonsets" }} + - daemonsets + {{- end -}} + {{ if eq $v "jobs" }} + - jobs + {{- end -}} + {{ if or (eq $v "daemonsets") (eq $v "jobs") }} + - pods + {{- end -}} + {{ if eq $v "services" }} + - services + - endpoints + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl new file mode 100644 index 000000000..9ad9ccc2f --- /dev/null +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 -}} +{{- $saNamespace := $envAll.Release.Namespace }} +{{- $randomKey := randAlphaNum 32 }} +{{- $allNamespace := dict $randomKey "" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $saName }} + namespace: {{ $saNamespace }} +{{- range $k, $v := $deps -}} +{{- if eq $k "services" }} +{{- range $serv := $v }} +{{- $endpointMap := index $envAll.Values.endpoints $serv.service }} +{{- $endpointNS := $endpointMap.namespace | default $saNamespace }} +{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }} +{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }} +{{- end -}} +{{- end -}} +{{- else if eq $k "jobs" }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if eq $k "daemonset" }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }} +{{- end -}} +{{- end -}} +{{- $_ := unset $allNamespace $randomKey }} +{{- range $ns, $vv := $allNamespace }} +{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} +{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} +{{- end -}} +{{- end -}} diff --git a/kube-dns/templates/deployment-kube-dns.yaml b/kube-dns/templates/deployment-kube-dns.yaml index eb2f86119..3e5eb79d3 100644 --- a/kube-dns/templates/deployment-kube-dns.yaml +++ b/kube-dns/templates/deployment-kube-dns.yaml @@ -187,7 +187,6 @@ spec: - effect: NoSchedule key: node-role.kubernetes.io/master volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 6 }} - configMap: defaultMode: 420 name: kube-dns diff --git a/kube-dns/templates/job-image-repo-sync.yaml b/kube-dns/templates/job-image-repo-sync.yaml index 9bc962e36..18041ca25 100644 --- a/kube-dns/templates/job-image-repo-sync.yaml +++ b/kube-dns/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "kube-dns-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "kube-dns" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/kube-dns/templates/rbac-entrypoint.yaml b/kube-dns/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/kube-dns/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/kube-dns/values.yaml b/kube-dns/values.yaml index 7e12e8ac2..a0307cd34 100644 --- a/kube-dns/values.yaml +++ b/kube-dns/values.yaml @@ -84,6 +84,5 @@ manifests: configmap_kube_dns: true deployment_kube_dns: true job_image_repo_sync: true - rbac_entrypoint: true service_kube_dns: true serviceaccount_kube_dns: true diff --git a/nfs-provisioner/templates/clusterrolebinding.yaml b/nfs-provisioner/templates/clusterrolebinding.yaml index 9b1b22461..a7ca49322 100644 --- a/nfs-provisioner/templates/clusterrolebinding.yaml +++ b/nfs-provisioner/templates/clusterrolebinding.yaml @@ -15,13 +15,14 @@ limitations under the License. */}} {{- if .Values.manifests.clusterrolebinding }} +{{- $serviceAccountName := "nfs-provisioner"}} apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: run-nfs-provisioner subjects: - kind: ServiceAccount - name: nfs-provisioner + name: {{ $serviceAccountName }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/nfs-provisioner/templates/deployment.yaml b/nfs-provisioner/templates/deployment.yaml index 8c2670a27..7d88373c8 100644 --- a/nfs-provisioner/templates/deployment.yaml +++ b/nfs-provisioner/templates/deployment.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}} {{- end -}} + +{{- $serviceAccountName := "nfs-provisioner"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: Deployment apiVersion: apps/v1beta1 @@ -35,7 +38,7 @@ spec: labels: {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: - serviceAccount: nfs-provisioner + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -83,7 +86,6 @@ spec: - name: export-volume mountPath: /export volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: export-volume {{- if eq .Values.storage.type "persistentVolumeClaim" }} persistentVolumeClaim: diff --git a/nfs-provisioner/templates/job-image-repo-sync.yaml b/nfs-provisioner/templates/job-image-repo-sync.yaml index 60bc42a82..364e8d190 100644 --- a/nfs-provisioner/templates/job-image-repo-sync.yaml +++ b/nfs-provisioner/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "nfs-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/nfs-provisioner/templates/rbac-entrypoint.yaml b/nfs-provisioner/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/nfs-provisioner/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/nfs-provisioner/templates/serviceaccount.yaml b/nfs-provisioner/templates/serviceaccount.yaml deleted file mode 100644 index 3497e5363..000000000 --- a/nfs-provisioner/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nfs-provisioner -{{- end }} diff --git a/nfs-provisioner/values.yaml b/nfs-provisioner/values.yaml index cc72b60b1..51bc1adf8 100644 --- a/nfs-provisioner/values.yaml +++ b/nfs-provisioner/values.yaml @@ -127,8 +127,6 @@ manifests: clusterrolebinding: true deployment: true job_image_repo_sync: true - rbac_entrypoint: true service: true - serviceaccount: true storage_class: true volume_claim: true diff --git a/prometheus-alertmanager/templates/clusterrolebinding.yaml b/prometheus-alertmanager/templates/clusterrolebinding.yaml index f82b65b2e..3a31c8e0f 100644 --- a/prometheus-alertmanager/templates/clusterrolebinding.yaml +++ b/prometheus-alertmanager/templates/clusterrolebinding.yaml @@ -15,6 +15,8 @@ limitations under the License. */}} {{- if .Values.manifests.clusterrolebinding }} +{{- $envAll := . }} +{{- $serviceAccountName := "alertmanager"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -22,8 +24,8 @@ metadata: name: run-alertmanager subjects: - kind: ServiceAccount - name: alertmanager - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} roleRef: kind: ClusterRole name: cluster-admin diff --git a/prometheus-alertmanager/templates/job-image-repo-sync.yaml b/prometheus-alertmanager/templates/job-image-repo-sync.yaml index 4179f7824..db3cce309 100644 --- a/prometheus-alertmanager/templates/job-image-repo-sync.yaml +++ b/prometheus-alertmanager/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "alertmanager-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "alertmanager" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/prometheus-alertmanager/templates/rbac-entrypoint.yaml b/prometheus-alertmanager/templates/rbac-entrypoint.yaml deleted file mode 100644 index 64d1b45ab..000000000 --- a/prometheus-alertmanager/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,20 +0,0 @@ - -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/prometheus-alertmanager/templates/serviceaccount.yaml b/prometheus-alertmanager/templates/serviceaccount.yaml deleted file mode 100644 index 9800fc214..000000000 --- a/prometheus-alertmanager/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: alertmanager -{{- end }} diff --git a/prometheus-alertmanager/templates/statefulset.yaml b/prometheus-alertmanager/templates/statefulset.yaml index d0ef9cf8b..8a19d464e 100644 --- a/prometheus-alertmanager/templates/statefulset.yaml +++ b/prometheus-alertmanager/templates/statefulset.yaml @@ -21,8 +21,12 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.alertmanager -}} {{- end -}} + {{- $mounts_alertmanager := .Values.pod.mounts.alertmanager.alertmanager }} {{- $mounts_alertmanager_init := .Values.pod.mounts.alertmanager.init_container }} + +{{- $serviceAccountName := "alertmanager"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -93,7 +97,6 @@ spec: mountPath: /var/lib/alertmanager/data {{ if $mounts_alertmanager.volumeMounts }}{{ toYaml $mounts_alertmanager.volumeMounts | indent 12 }}{{ end }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: etc-alertmanager emptyDir: {} - name: alertmanager-etc diff --git a/prometheus-alertmanager/values.yaml b/prometheus-alertmanager/values.yaml index 254fe242c..7987e968c 100644 --- a/prometheus-alertmanager/values.yaml +++ b/prometheus-alertmanager/values.yaml @@ -151,11 +151,9 @@ manifests: ingress: true job_image_repo_sync: true pvc: true - rbac_entrypoint: true service: true service_discovery: true service_ingress: true - serviceaccount: true statefulset: true conf: diff --git a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml b/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml index 434222010..42bab214c 100644 --- a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml +++ b/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- if .Values.manifests.clusterrolebinding }} {{- $envAll := . }} +{{- $serviceAccountName := "kube-state-metrics"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -23,8 +24,8 @@ metadata: name: run-kube-state-metrics subjects: - kind: ServiceAccount - name: kube-state-metrics - namespace: {{ .Release.Namespace }} + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} roleRef: kind: ClusterRole name: kube-state-metrics-runner diff --git a/prometheus-kube-state-metrics/templates/deployment.yaml b/prometheus-kube-state-metrics/templates/deployment.yaml index 60ce56d63..3f2dfb312 100644 --- a/prometheus-kube-state-metrics/templates/deployment.yaml +++ b/prometheus-kube-state-metrics/templates/deployment.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}} {{- end -}} + +{{- $serviceAccountName := "kube-state-metrics"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: Deployment @@ -34,7 +37,7 @@ spec: labels: {{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: - serviceAccount: kube-state-metrics + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kube_state_metrics.timeout | default "30" }} @@ -47,6 +50,4 @@ spec: ports: - name: metrics containerPort: {{ .Values.network.kube_state_metrics.port }} - volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} diff --git a/prometheus-kube-state-metrics/templates/job-image-repo-sync.yaml b/prometheus-kube-state-metrics/templates/job-image-repo-sync.yaml index 854e74f28..f763fe072 100644 --- a/prometheus-kube-state-metrics/templates/job-image-repo-sync.yaml +++ b/prometheus-kube-state-metrics/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "kube-metrics-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "kube-metrics" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/prometheus-kube-state-metrics/templates/rbac-entrypoint.yaml b/prometheus-kube-state-metrics/templates/rbac-entrypoint.yaml deleted file mode 100644 index 82b9916e8..000000000 --- a/prometheus-kube-state-metrics/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{- $envAll := . }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/prometheus-kube-state-metrics/templates/serviceaccount.yaml b/prometheus-kube-state-metrics/templates/serviceaccount.yaml deleted file mode 100644 index 6269e7169..000000000 --- a/prometheus-kube-state-metrics/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kube-state-metrics -{{- end }} diff --git a/prometheus-kube-state-metrics/values.yaml b/prometheus-kube-state-metrics/values.yaml index 4900684c3..e315f1ad0 100644 --- a/prometheus-kube-state-metrics/values.yaml +++ b/prometheus-kube-state-metrics/values.yaml @@ -142,7 +142,6 @@ manifests: clusterrolebinding: true deployment: true job_image_repo_sync: true - rbac_entrypoint: true service_kube_metrics: true service_controller_manager: true service_scheduler: true diff --git a/prometheus-node-exporter/templates/clusterrolebinding.yaml b/prometheus-node-exporter/templates/clusterrolebinding.yaml index d6873b42f..40489f290 100644 --- a/prometheus-node-exporter/templates/clusterrolebinding.yaml +++ b/prometheus-node-exporter/templates/clusterrolebinding.yaml @@ -16,6 +16,7 @@ limitations under the License. {{- if .Values.manifests.clusterrolebinding }} {{- $envAll := . }} +{{- $serviceAccountName := "node-exporter"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -23,7 +24,7 @@ metadata: name: run-node-exporter subjects: - kind: ServiceAccount - name: node-exporter + name: {{ $serviceAccountName }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/prometheus-node-exporter/templates/daemonset.yaml b/prometheus-node-exporter/templates/daemonset.yaml index 3cbce45c8..61a894553 100644 --- a/prometheus-node-exporter/templates/daemonset.yaml +++ b/prometheus-node-exporter/templates/daemonset.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}} {{- end -}} + +{{- $serviceAccountName := "node-exporter"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -35,7 +38,7 @@ spec: {{ tuple $envAll "node_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} namespace: {{ .Values.endpoints.node_metrics.namespace }} spec: - serviceAccount: node-exporter + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} hostNetwork: true @@ -58,7 +61,6 @@ spec: mountPath: /host/sys readOnly: true volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: proc hostPath: path: /proc diff --git a/prometheus-node-exporter/templates/job-image-repo-sync.yaml b/prometheus-node-exporter/templates/job-image-repo-sync.yaml index eaeef8f7b..8d3c1d396 100644 --- a/prometheus-node-exporter/templates/job-image-repo-sync.yaml +++ b/prometheus-node-exporter/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "node-exporter-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "node-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/prometheus-node-exporter/templates/rbac-entrypoint.yaml b/prometheus-node-exporter/templates/rbac-entrypoint.yaml deleted file mode 100644 index 82b9916e8..000000000 --- a/prometheus-node-exporter/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{- $envAll := . }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/prometheus-node-exporter/templates/serviceaccount.yaml b/prometheus-node-exporter/templates/serviceaccount.yaml deleted file mode 100644 index e036edd7a..000000000 --- a/prometheus-node-exporter/templates/serviceaccount.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: node-exporter -{{- end }} diff --git a/prometheus-node-exporter/values.yaml b/prometheus-node-exporter/values.yaml index 05ff92d24..ff0d3e984 100644 --- a/prometheus-node-exporter/values.yaml +++ b/prometheus-node-exporter/values.yaml @@ -131,6 +131,4 @@ manifests: clusterrolebinding: true daemonset: true job_image_repo_sync: true - rbac_entrypoint: true service: true - serviceaccount: true diff --git a/prometheus/templates/clusterrolebinding.yaml b/prometheus/templates/clusterrolebinding.yaml index c59589ca4..e232353f9 100644 --- a/prometheus/templates/clusterrolebinding.yaml +++ b/prometheus/templates/clusterrolebinding.yaml @@ -16,6 +16,7 @@ limitations under the License. */}} {{- if .Values.manifests.clusterrolebinding }} +{{- $serviceAccountName := "prometheus"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding @@ -23,7 +24,7 @@ metadata: name: run-prometheus subjects: - kind: ServiceAccount - name: prometheus + name: {{ $serviceAccountName }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/prometheus/templates/job-image-repo-sync.yaml b/prometheus/templates/job-image-repo-sync.yaml index 57c58f830..301622614 100644 --- a/prometheus/templates/job-image-repo-sync.yaml +++ b/prometheus/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "prometheus-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "prometheus" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/prometheus/templates/pod-helm-tests.yaml b/prometheus/templates/pod-helm-tests.yaml index 0fa3fa285..70f63ad89 100644 --- a/prometheus/templates/pod-helm-tests.yaml +++ b/prometheus/templates/pod-helm-tests.yaml @@ -40,7 +40,6 @@ spec: subPath: helm-tests.sh readOnly: true volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }} - name: prometheus-bin configMap: name: prometheus-bin diff --git a/prometheus/templates/rbac-entrypoint.yaml b/prometheus/templates/rbac-entrypoint.yaml deleted file mode 100644 index 64d1b45ab..000000000 --- a/prometheus/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,20 +0,0 @@ - -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/prometheus/templates/serviceaccount.yaml b/prometheus/templates/serviceaccount.yaml deleted file mode 100644 index dd8d7fef6..000000000 --- a/prometheus/templates/serviceaccount.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: prometheus -{{- end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 3dda9d4f8..0d13dc7e8 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -21,8 +21,12 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.prometheus -}} {{- end -}} + {{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }} {{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }} + +{{- $serviceAccountName := "prometheus"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -40,7 +44,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} configmap-rules-hash: {{ tuple "configmap-rules.yaml" . | include "helm-toolkit.utils.hash" }} spec: - serviceAccount: prometheus + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "prometheus" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -131,7 +135,6 @@ spec: mountPath: /var/lib/prometheus/data {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: etcprometheus emptyDir: {} - name: rulesprometheus diff --git a/prometheus/values.yaml b/prometheus/values.yaml index fbddc61df..1446c692e 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -176,10 +176,8 @@ manifests: helm_tests: true job_image_repo_sync: true pvc: true - rbac_entrypoint: true service_ingress_prometheus: true service: true - serviceaccount: true statefulset_prometheus: true conf: diff --git a/redis/templates/deployment.yaml b/redis/templates/deployment.yaml index b68d39824..27b7a6116 100644 --- a/redis/templates/deployment.yaml +++ b/redis/templates/deployment.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.redis -}} {{- end -}} + +{{- $serviceAccountName := "redis"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -34,6 +37,7 @@ spec: labels: {{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -53,6 +57,4 @@ spec: readinessProbe: tcpSocket: port: {{ .Values.network.port }} - volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} diff --git a/redis/templates/job-image-repo-sync.yaml b/redis/templates/job-image-repo-sync.yaml index 75eff2272..203f3317c 100644 --- a/redis/templates/job-image-repo-sync.yaml +++ b/redis/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "redis-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "redis" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/redis/templates/rbac-entrypoint.yaml b/redis/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/redis/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/redis/values.yaml b/redis/values.yaml index 4990cf200..41f33e6f4 100644 --- a/redis/values.yaml +++ b/redis/values.yaml @@ -106,5 +106,4 @@ manifests: configmap_bin: true deployment: true job_image_repo_sync: true - rbac_entrypoint: true service: true diff --git a/registry/templates/daemonset-registry-proxy.yaml b/registry/templates/daemonset-registry-proxy.yaml index f90238f10..012e93c58 100644 --- a/registry/templates/daemonset-registry-proxy.yaml +++ b/registry/templates/daemonset-registry-proxy.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.registry_proxy -}} {{- end -}} + +{{- $serviceAccountName := "docker-registry-proxy"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -35,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet @@ -57,7 +61,6 @@ spec: subPath: default.conf readOnly: true volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: registry-bin configMap: name: registry-bin diff --git a/registry/templates/deployment-registry.yaml b/registry/templates/deployment-registry.yaml index 574c5db0e..6f507593a 100644 --- a/registry/templates/deployment-registry.yaml +++ b/registry/templates/deployment-registry.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.registry -}} {{- end -}} + +{{- $serviceAccountName := "docker-registry"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -37,6 +40,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "docker" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: @@ -64,7 +68,6 @@ spec: - name: docker-images mountPath: {{ .Values.conf.registry.storage.filesystem.rootdirectory }} volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: registry-bin configMap: name: registry-bin diff --git a/registry/templates/job-bootstrap.yaml b/registry/templates/job-bootstrap.yaml index f2548302d..34375e7ac 100644 --- a/registry/templates/job-bootstrap.yaml +++ b/registry/templates/job-bootstrap.yaml @@ -22,6 +22,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.bootstrap -}} {{- end -}} + +{{- $serviceAccountName := "docker-bootstrap"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -33,6 +36,7 @@ spec: labels: {{ tuple $envAll "docker" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -57,7 +61,6 @@ spec: - name: docker-socket mountPath: /var/run/docker.sock volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} - name: registry-bin configMap: name: registry-bin diff --git a/registry/templates/rbac-entrypoint.yaml b/registry/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/registry/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/registry/values.yaml b/registry/values.yaml index 403fb95ee..158d1b36b 100644 --- a/registry/values.yaml +++ b/registry/values.yaml @@ -179,5 +179,4 @@ manifests: job_bootstrap: true job_image_repo_sync: true pvc_images: true - rbac_entrypoint: true service_registry: true diff --git a/tiller/templates/deployment-tiller.yaml b/tiller/templates/deployment-tiller.yaml index 5262e24c7..0cac1bfa1 100644 --- a/tiller/templates/deployment-tiller.yaml +++ b/tiller/templates/deployment-tiller.yaml @@ -21,6 +21,9 @@ limitations under the License. {{- else -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}} {{- end -}} + +{{- $serviceAccountName := "tiller"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: Deployment @@ -87,9 +90,7 @@ spec: restartPolicy: Always schedulerName: default-scheduler securityContext: {} - serviceAccount: tiller - serviceAccountName: tiller + serviceAccount: {{ $serviceAccountName }} + serviceAccountName: {{ $serviceAccountName }} terminationGracePeriodSeconds: 30 - volumes: -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} diff --git a/tiller/templates/job-image-repo-sync.yaml b/tiller/templates/job-image-repo-sync.yaml index 20faec96c..8cadeb587 100644 --- a/tiller/templates/job-image-repo-sync.yaml +++ b/tiller/templates/job-image-repo-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.images.local_registry.active -}} {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}} + +{{- $serviceAccountName := "kube-dns-image-repo-sync"}} +{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,6 +32,7 @@ spec: labels: {{ tuple $envAll "tiller" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} @@ -60,6 +64,5 @@ spec: - name: docker-socket hostPath: path: /var/run/docker.sock -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }} {{- end }} {{- end }} diff --git a/tiller/templates/rbac-entrypoint.yaml b/tiller/templates/rbac-entrypoint.yaml deleted file mode 100644 index 311712ea9..000000000 --- a/tiller/templates/rbac-entrypoint.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac_entrypoint }} -{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}} -{{- end }} diff --git a/tiller/templates/serviceaccount-tiller.yaml b/tiller/templates/serviceaccount-tiller.yaml deleted file mode 100644 index d69975a31..000000000 --- a/tiller/templates/serviceaccount-tiller.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.serviceaccount_tiller }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tiller -{{- end }} diff --git a/tiller/values.yaml b/tiller/values.yaml index f14e5ba7e..2a7a46631 100644 --- a/tiller/values.yaml +++ b/tiller/values.yaml @@ -83,6 +83,4 @@ manifests: configmap_bin: true deployment_tiller: true job_image_repo_sync: true - rbac_entrypoint: true service_tiller_deploy: true - serviceaccount_tiller: true