RBAC: Consolidate serviceaccounts and restrict rbac
Currently, services have two serviceaccounts: one specified in the chart that cannot read anything, and one injected via helm-toolkit that can read everything. This patch set refactors the logic to: - cleanup the roles and their binding automatically when the helm chart is deleted; - remove the need to separately mount a serviceaccount with secret; - better handling of namespaces resource restriction. Co-Authored-By: portdirect <pete@port.direct> Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
This commit is contained in:
parent
8b6d6c43cb
commit
628fd3007d
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "calico-etcd"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
# This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
|
||||
# to force it to run on the master even when the master isn't schedulable, and uses
|
||||
@ -76,7 +79,6 @@ spec:
|
||||
- name: var-etcd
|
||||
mountPath: /var/etcd
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: var-etcd
|
||||
hostPath:
|
||||
path: /var/etcd
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "calico-cni-plugin"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
# This manifest installs the calico/node container, as well
|
||||
# as the Calico CNI plugins and network config on
|
||||
@ -57,7 +60,7 @@ spec:
|
||||
# This, along with the annotation above marks this pod as a critical add-on.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
serviceAccountName: calico-cni-plugin
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
initContainers:
|
||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
@ -160,7 +163,6 @@ spec:
|
||||
- mountPath: /host/etc/cni/net.d
|
||||
name: cni-net-dir
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
# Used by calico/node.
|
||||
- name: lib-modules
|
||||
hostPath:
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "calico-policy-controller"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
# This manifest deploys the Calico policy controller on Kubernetes.
|
||||
# See https://github.com/projectcalico/k8s-policy
|
||||
@ -58,7 +61,7 @@ spec:
|
||||
# This, along with the annotation above marks this pod as a critical add-on.
|
||||
- key: CriticalAddonsOnly
|
||||
operator: Exists
|
||||
serviceAccountName: calico-policy-controller
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
initContainers:
|
||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
@ -80,6 +83,4 @@ spec:
|
||||
# kubernetes.default to the correct service clusterIP.
|
||||
- name: CONFIGURE_ETC_HOSTS
|
||||
value: "true"
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "calico-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -53,7 +57,6 @@ spec:
|
||||
- name: docker-socket
|
||||
mountPath: /var/run/docker.sock
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: calico-bin
|
||||
configMap:
|
||||
name: calico-bin
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -114,7 +114,4 @@ manifests:
|
||||
daemonset_calico_node: true
|
||||
deployment_calico_policy_controller: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service_calico_etcd: true
|
||||
serviceaccount_calico_cni_plugin: true
|
||||
serviceaccount_calico_policy_controller: true
|
||||
|
@ -14,11 +14,20 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount_calico_cni_plugin }}
|
||||
{{- if .Values.manifests.clusterrolebinding_client }}
|
||||
{{- $envAll := . }}
|
||||
{{- $serviceAccountName := "elasticsearch-client"}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: calico-cni-plugin
|
||||
name: run-elasticsearch-client
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: elasticsearch-runner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
@ -14,16 +14,17 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- if .Values.manifests.clusterrolebinding_data }}
|
||||
{{- $envAll := . }}
|
||||
{{- $serviceAccountName := "elasticsearch-data"}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: run-elasticsearch
|
||||
name: run-elasticsearch-data
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: elasticsearch
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
@ -26,8 +26,8 @@ data:
|
||||
{{- tuple .Values.conf.elasticsearch "etc/_elasticsearch.yml.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
log4j2.properties: |+
|
||||
{{- tuple .Values.conf.elasticsearch "etc/_log4j2.properties.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
|
||||
action_file.yml:
|
||||
action_file.yml: |-
|
||||
{{ toYaml .Values.conf.curator.action_file | indent 4 }}
|
||||
config.yml:
|
||||
config.yml: |-
|
||||
{{ toYaml .Values.conf.curator.config | indent 4 }}
|
||||
{{- end }}
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- if .Capabilities.APIVersions.Has "batch/v2alpha1" }}
|
||||
{{- $envAll := . }}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.curator -}}
|
||||
|
||||
{{- $serviceAccountName := "curator"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v2alpha1
|
||||
kind: CronJob
|
||||
@ -32,6 +35,7 @@ spec:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
initContainers:
|
||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }}
|
||||
@ -67,6 +71,5 @@ spec:
|
||||
configMap:
|
||||
name: elastic-etc
|
||||
defaultMode: 0444
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_client -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "elasticsearch-client"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -37,7 +40,7 @@ spec:
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccount: elasticsearch
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.client.timeout | default "600" }}
|
||||
@ -124,7 +127,6 @@ spec:
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: elastic-logs
|
||||
emptyDir: {}
|
||||
- name: elastic-bin
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_master -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "elasticsearch-master"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -37,7 +40,7 @@ spec:
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccount: elasticsearch
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.master.timeout | default "600" }}
|
||||
@ -118,7 +121,6 @@ spec:
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: elastic-logs
|
||||
emptyDir: {}
|
||||
- name: elastic-bin
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "elasticsearch-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "elasticsearch" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -40,7 +40,6 @@ spec:
|
||||
subPath: helm-tests.sh
|
||||
readOnly: true
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }}
|
||||
- name: elastic-bin
|
||||
configMap:
|
||||
name: elastic-bin
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_data -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "elasticsearch-data"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: StatefulSet
|
||||
@ -34,7 +37,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccount: elasticsearch
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.data.timeout | default "600" }}
|
||||
@ -115,7 +118,6 @@ spec:
|
||||
- name: storage
|
||||
mountPath: {{ .Values.conf.elasticsearch.path.data }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: elastic-logs
|
||||
emptyDir: {}
|
||||
- name: elastic-bin
|
||||
|
@ -133,9 +133,9 @@ conf:
|
||||
init:
|
||||
max_map_count: 262144
|
||||
curator:
|
||||
schedule: 1 0 * * *
|
||||
action_file: |
|
||||
---
|
||||
#runs weekly
|
||||
schedule: "0 0 * * 0"
|
||||
action_file:
|
||||
# Remember, leave a key empty if there is no value. None will be a string,
|
||||
# not a Python "NoneType"
|
||||
#
|
||||
@ -161,8 +161,7 @@ conf:
|
||||
stats_result:
|
||||
epoch:
|
||||
exclude: False
|
||||
config: |
|
||||
---
|
||||
config:
|
||||
# Remember, leave a key empty if there is no value. None will be a string,
|
||||
# not a Python "NoneType"
|
||||
client:
|
||||
@ -255,7 +254,8 @@ storage:
|
||||
|
||||
manifests:
|
||||
clusterrole: true
|
||||
clusterrolebinding: true
|
||||
clusterrolebinding_client: true
|
||||
clusterrolebinding_data: true
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
cron_curator: true
|
||||
@ -263,7 +263,6 @@ manifests:
|
||||
deployment_master: true
|
||||
job_image_repo_sync: true
|
||||
helm_tests: true
|
||||
rbac_entrypoint: true
|
||||
serviceaccount: true
|
||||
service_data: true
|
||||
service_discovery: true
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "flannel"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
@ -45,7 +48,7 @@ spec:
|
||||
- key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
effect: NoSchedule
|
||||
serviceAccountName: flannel
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
initContainers:
|
||||
{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||
containers:
|
||||
@ -77,7 +80,6 @@ spec:
|
||||
- name: flannel-cfg
|
||||
mountPath: /etc/kube-flannel/
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: run
|
||||
hostPath:
|
||||
path: /run
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "flannel-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "flannel" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -53,7 +57,6 @@ spec:
|
||||
- name: docker-socket
|
||||
mountPath: /var/run/docker.sock
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: flannel-bin
|
||||
configMap:
|
||||
name: flannel-bin
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -84,5 +84,4 @@ manifests:
|
||||
configmap_kube_flannel_cfg: true
|
||||
daemonset_kube_flannel_ds: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
serviceaccount_flannel: true
|
||||
|
@ -14,11 +14,19 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount_calico_policy_controller }}
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.manifests.clusterrolebinding_fluentbit }}
|
||||
{{- $serviceAccountName := "fluentbit"}}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
name: run-fluent-bit-logging
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: fluent-logging-runner
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
@ -14,14 +14,16 @@ See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- if .Values.manifests.clusterrolebinding_logging }}
|
||||
{{- $serviceAccountName := "fluentd"}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: run-fluent-logging
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: fluent-logging
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
@ -22,7 +22,11 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentbit -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }}
|
||||
|
||||
{{- $serviceAccountName := "fluentbit"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
@ -37,7 +41,7 @@ spec:
|
||||
annotations:
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccount: fluent-logging
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
nodeSelector:
|
||||
{{ .Values.labels.fluentbit.node_selector_key }}: {{ .Values.labels.fluentbit.node_selector_value }}
|
||||
hostNetwork: true
|
||||
@ -73,7 +77,6 @@ spec:
|
||||
readOnly: true
|
||||
{{ if $mounts_fluentbit.volumeMounts }}{{ toYaml $mounts_fluentbit.volumeMounts | indent 8 }}{{ end }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: varlog
|
||||
hostPath:
|
||||
path: /var/log
|
||||
|
@ -21,7 +21,11 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentd -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }}
|
||||
|
||||
{{- $serviceAccountName := "fluentd"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -38,7 +42,7 @@ spec:
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccount: fluent-logging
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "aggregator" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
@ -69,7 +73,6 @@ spec:
|
||||
readOnly: true
|
||||
{{- if $mounts_fluentd.volumeMounts }}{{ toYaml $mounts_fluentd.volumeMounts | indent 12 }}{{- end }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: pod-etc-fluentd
|
||||
emptyDir: {}
|
||||
- name: fluent-logging-etc
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "fluent-logging-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "fluent-logging-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -53,7 +57,6 @@ spec:
|
||||
- name: docker-socket
|
||||
mountPath: /var/run/docker.sock
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: fluent-logging-bin
|
||||
configMap:
|
||||
name: fluent-logging-bin
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,22 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: fluent-logging
|
||||
{{- end }}
|
@ -217,14 +217,13 @@ pod:
|
||||
fluent_tests:
|
||||
|
||||
manifests:
|
||||
service_fluentd: true
|
||||
clusterrole: true
|
||||
clusterrolebinding_fluentbit: true
|
||||
clusterrolebinding_logging: true
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
deployment_fluentd: true
|
||||
daemonset_fluentbit: true
|
||||
job_image_repo_sync: true
|
||||
helm_tests: true
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
clusterrole: true
|
||||
clusterrolebinding: true
|
||||
rbac_entrypoint: true
|
||||
serviceaccount: true
|
||||
service_fluentd: true
|
||||
|
@ -18,8 +18,6 @@ limitations under the License.
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $deps := index . 1 -}}
|
||||
{{- $mounts := index . 2 -}}
|
||||
{{- $mountServiceAccount := dict "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" "name" "entrypoint-serviceaccount-secret" "readOnly" true -}}
|
||||
{{- $mountsEntrypoint := append $mounts $mountServiceAccount -}}
|
||||
- name: init
|
||||
{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
|
||||
env:
|
||||
@ -48,5 +46,5 @@ limitations under the License.
|
||||
command:
|
||||
- kubernetes-entrypoint
|
||||
volumeMounts:
|
||||
{{ toYaml $mountsEntrypoint | indent 4 }}
|
||||
{{ toYaml $mounts | indent 4 }}
|
||||
{{- end -}}
|
||||
|
@ -1,86 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_rbac" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := $envAll.Release.Name -}}
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: cluster-role-binding-entrypoint-{{ $component }}
|
||||
annotations:
|
||||
# Tiller sorts the execution of resources in the following order:
|
||||
# Secret, ServiceAccount, Role, RoleBinding. The problem is that
|
||||
# this Secret will not be created if ServiceAccount doesn't exist.
|
||||
# The solution is to add pre-install hook so that these are created first.
|
||||
helm.sh/hook: pre-install
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-role-entrypoint-{{ $component }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: service-account-entrypoint-{{ $component }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: cluster-role-entrypoint-{{ $component }}
|
||||
annotations:
|
||||
# Tiller sorts the execution of resources in the following order:
|
||||
# Secret, ServiceAccount, Role, RoleBinding. The problem is that
|
||||
# this Secret will not be created if ServiceAccount doesn't exist.
|
||||
# The solution is to add pre-install hook so that these are created first.
|
||||
helm.sh/hook: pre-install
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- extensions
|
||||
- batch
|
||||
- apps
|
||||
resources:
|
||||
- pods
|
||||
- services
|
||||
- jobs
|
||||
- endpoints
|
||||
- daemonsets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: secret-entrypoint-{{ $component }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: service-account-entrypoint-{{ $component }}
|
||||
type: kubernetes.io/service-account-token
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: service-account-entrypoint-{{ $component }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
annotations:
|
||||
# Tiller sorts the execution of resources in the following order:
|
||||
# Secret, ServiceAccount, Role, RoleBinding. The problem is that
|
||||
# this Secret will not be created if ServiceAccount doesn't exist.
|
||||
# The solution is to add pre-install hook so that these are created first.
|
||||
helm.sh/hook: pre-install
|
||||
{{- end -}}
|
@ -1,24 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $component := $envAll.Release.Name -}}
|
||||
- name: entrypoint-serviceaccount-secret
|
||||
secret:
|
||||
secretName: secret-entrypoint-{{ $component }}
|
||||
defaultMode: 420
|
||||
{{- end -}}
|
@ -0,0 +1,68 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $deps := index . 1 -}}
|
||||
{{- $saName := index . 2 | replace "_" "-" }}
|
||||
{{- $saNamespace := index . 3 -}}
|
||||
{{- $releaseName := $envAll.Release.Name }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $releaseName }}-{{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- extensions
|
||||
- batch
|
||||
- apps
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
resources:
|
||||
{{- range $k, $v := $deps -}}
|
||||
{{ if eq $v "daemonsets" }}
|
||||
- daemonsets
|
||||
{{- end -}}
|
||||
{{ if eq $v "jobs" }}
|
||||
- jobs
|
||||
{{- end -}}
|
||||
{{ if or (eq $v "daemonsets") (eq $v "jobs") }}
|
||||
- pods
|
||||
{{- end -}}
|
||||
{{ if eq $v "services" }}
|
||||
- services
|
||||
- endpoints
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -0,0 +1,50 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
|
||||
{{- $envAll := index . 0 -}}
|
||||
{{- $deps := index . 1 -}}
|
||||
{{- $saName := index . 2 -}}
|
||||
{{- $saNamespace := $envAll.Release.Namespace }}
|
||||
{{- $randomKey := randAlphaNum 32 }}
|
||||
{{- $allNamespace := dict $randomKey "" }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ $saName }}
|
||||
namespace: {{ $saNamespace }}
|
||||
{{- range $k, $v := $deps -}}
|
||||
{{- if eq $k "services" }}
|
||||
{{- range $serv := $v }}
|
||||
{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
|
||||
{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
|
||||
{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
|
||||
{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- else if eq $k "jobs" }}
|
||||
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
|
||||
{{- else if eq $k "daemonset" }}
|
||||
{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- $_ := unset $allNamespace $randomKey }}
|
||||
{{- range $ns, $vv := $allNamespace }}
|
||||
{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
|
||||
{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
@ -187,7 +187,6 @@ spec:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 6 }}
|
||||
- configMap:
|
||||
defaultMode: 420
|
||||
name: kube-dns
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "kube-dns-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "kube-dns" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -84,6 +84,5 @@ manifests:
|
||||
configmap_kube_dns: true
|
||||
deployment_kube_dns: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service_kube_dns: true
|
||||
serviceaccount_kube_dns: true
|
||||
|
@ -15,13 +15,14 @@ limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- $serviceAccountName := "nfs-provisioner"}}
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: run-nfs-provisioner
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: nfs-provisioner
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "nfs-provisioner"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1beta1
|
||||
@ -35,7 +38,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccount: nfs-provisioner
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
@ -83,7 +86,6 @@ spec:
|
||||
- name: export-volume
|
||||
mountPath: /export
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: export-volume
|
||||
{{- if eq .Values.storage.type "persistentVolumeClaim" }}
|
||||
persistentVolumeClaim:
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "nfs-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,22 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: nfs-provisioner
|
||||
{{- end }}
|
@ -127,8 +127,6 @@ manifests:
|
||||
clusterrolebinding: true
|
||||
deployment: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service: true
|
||||
serviceaccount: true
|
||||
storage_class: true
|
||||
volume_claim: true
|
||||
|
@ -15,6 +15,8 @@ limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- $envAll := . }}
|
||||
{{- $serviceAccountName := "alertmanager"}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
@ -22,8 +24,8 @@ metadata:
|
||||
name: run-alertmanager
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: alertmanager
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "alertmanager-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "alertmanager" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,20 +0,0 @@
|
||||
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,22 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: alertmanager
|
||||
{{- end }}
|
@ -21,8 +21,12 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.alertmanager -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $mounts_alertmanager := .Values.pod.mounts.alertmanager.alertmanager }}
|
||||
{{- $mounts_alertmanager_init := .Values.pod.mounts.alertmanager.init_container }}
|
||||
|
||||
{{- $serviceAccountName := "alertmanager"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: StatefulSet
|
||||
@ -93,7 +97,6 @@ spec:
|
||||
mountPath: /var/lib/alertmanager/data
|
||||
{{ if $mounts_alertmanager.volumeMounts }}{{ toYaml $mounts_alertmanager.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: etc-alertmanager
|
||||
emptyDir: {}
|
||||
- name: alertmanager-etc
|
||||
|
@ -151,11 +151,9 @@ manifests:
|
||||
ingress: true
|
||||
job_image_repo_sync: true
|
||||
pvc: true
|
||||
rbac_entrypoint: true
|
||||
service: true
|
||||
service_discovery: true
|
||||
service_ingress: true
|
||||
serviceaccount: true
|
||||
statefulset: true
|
||||
|
||||
conf:
|
||||
|
@ -16,6 +16,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- $envAll := . }}
|
||||
{{- $serviceAccountName := "kube-state-metrics"}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
@ -23,8 +24,8 @@ metadata:
|
||||
name: run-kube-state-metrics
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kube-state-metrics
|
||||
namespace: {{ .Release.Namespace }}
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: kube-state-metrics-runner
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "kube-state-metrics"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -34,7 +37,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccount: kube-state-metrics
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kube_state_metrics.timeout | default "30" }}
|
||||
@ -47,6 +50,4 @@ spec:
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: {{ .Values.network.kube_state_metrics.port }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "kube-metrics-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "kube-metrics" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,20 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{- $envAll := . }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,24 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kube-state-metrics
|
||||
{{- end }}
|
@ -142,7 +142,6 @@ manifests:
|
||||
clusterrolebinding: true
|
||||
deployment: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service_kube_metrics: true
|
||||
service_controller_manager: true
|
||||
service_scheduler: true
|
||||
|
@ -16,6 +16,7 @@ limitations under the License.
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- $envAll := . }}
|
||||
{{- $serviceAccountName := "node-exporter"}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
@ -23,7 +24,7 @@ metadata:
|
||||
name: run-node-exporter
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: node-exporter
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "node-exporter"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
@ -35,7 +38,7 @@ spec:
|
||||
{{ tuple $envAll "node_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
namespace: {{ .Values.endpoints.node_metrics.namespace }}
|
||||
spec:
|
||||
serviceAccount: node-exporter
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
hostNetwork: true
|
||||
@ -58,7 +61,6 @@ spec:
|
||||
mountPath: /host/sys
|
||||
readOnly: true
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: proc
|
||||
hostPath:
|
||||
path: /proc
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "node-exporter-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "node-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,20 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{- $envAll := . }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,24 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: node-exporter
|
||||
{{- end }}
|
@ -131,6 +131,4 @@ manifests:
|
||||
clusterrolebinding: true
|
||||
daemonset: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service: true
|
||||
serviceaccount: true
|
||||
|
@ -16,6 +16,7 @@ limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.clusterrolebinding }}
|
||||
{{- $serviceAccountName := "prometheus"}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
@ -23,7 +24,7 @@ metadata:
|
||||
name: run-prometheus
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: prometheus
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "prometheus-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "prometheus" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -40,7 +40,6 @@ spec:
|
||||
subPath: helm-tests.sh
|
||||
readOnly: true
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }}
|
||||
- name: prometheus-bin
|
||||
configMap:
|
||||
name: prometheus-bin
|
||||
|
@ -1,20 +0,0 @@
|
||||
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,22 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: prometheus
|
||||
{{- end }}
|
@ -21,8 +21,12 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.prometheus -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }}
|
||||
{{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }}
|
||||
|
||||
{{- $serviceAccountName := "prometheus"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: StatefulSet
|
||||
@ -40,7 +44,7 @@ spec:
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-rules-hash: {{ tuple "configmap-rules.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccount: prometheus
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "prometheus" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
@ -131,7 +135,6 @@ spec:
|
||||
mountPath: /var/lib/prometheus/data
|
||||
{{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: etcprometheus
|
||||
emptyDir: {}
|
||||
- name: rulesprometheus
|
||||
|
@ -176,10 +176,8 @@ manifests:
|
||||
helm_tests: true
|
||||
job_image_repo_sync: true
|
||||
pvc: true
|
||||
rbac_entrypoint: true
|
||||
service_ingress_prometheus: true
|
||||
service: true
|
||||
serviceaccount: true
|
||||
statefulset_prometheus: true
|
||||
|
||||
conf:
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.redis -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "redis"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: Deployment
|
||||
@ -34,6 +37,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
@ -53,6 +57,4 @@ spec:
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: {{ .Values.network.port }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "redis-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "redis" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -106,5 +106,4 @@ manifests:
|
||||
configmap_bin: true
|
||||
deployment: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service: true
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry_proxy -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "docker-registry-proxy"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
@ -35,6 +38,7 @@ spec:
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
@ -57,7 +61,6 @@ spec:
|
||||
subPath: default.conf
|
||||
readOnly: true
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: registry-bin
|
||||
configMap:
|
||||
name: registry-bin
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "docker-registry"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: apps/v1beta1
|
||||
kind: Deployment
|
||||
@ -37,6 +40,7 @@ spec:
|
||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "docker" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
@ -64,7 +68,6 @@ spec:
|
||||
- name: docker-images
|
||||
mountPath: {{ .Values.conf.registry.storage.filesystem.rootdirectory }}
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: registry-bin
|
||||
configMap:
|
||||
name: registry-bin
|
||||
|
@ -22,6 +22,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.bootstrap -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "docker-bootstrap"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -33,6 +36,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "docker" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -57,7 +61,6 @@ spec:
|
||||
- name: docker-socket
|
||||
mountPath: /var/run/docker.sock
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
- name: registry-bin
|
||||
configMap:
|
||||
name: registry-bin
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -179,5 +179,4 @@ manifests:
|
||||
job_bootstrap: true
|
||||
job_image_repo_sync: true
|
||||
pvc_images: true
|
||||
rbac_entrypoint: true
|
||||
service_registry: true
|
||||
|
@ -21,6 +21,9 @@ limitations under the License.
|
||||
{{- else -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}}
|
||||
{{- end -}}
|
||||
|
||||
{{- $serviceAccountName := "tiller"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
@ -87,9 +90,7 @@ spec:
|
||||
restartPolicy: Always
|
||||
schedulerName: default-scheduler
|
||||
securityContext: {}
|
||||
serviceAccount: tiller
|
||||
serviceAccountName: tiller
|
||||
serviceAccount: {{ $serviceAccountName }}
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
terminationGracePeriodSeconds: 30
|
||||
volumes:
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
|
@ -18,6 +18,9 @@ limitations under the License.
|
||||
{{- $envAll := . }}
|
||||
{{- if .Values.images.local_registry.active -}}
|
||||
{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
|
||||
|
||||
{{- $serviceAccountName := "kube-dns-image-repo-sync"}}
|
||||
{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
@ -29,6 +32,7 @@ spec:
|
||||
labels:
|
||||
{{ tuple $envAll "tiller" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
|
||||
@ -60,6 +64,5 @@ spec:
|
||||
- name: docker-socket
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
@ -1,19 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.rbac_entrypoint }}
|
||||
{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
|
||||
{{- end }}
|
@ -1,24 +0,0 @@
|
||||
{{/*
|
||||
Copyright 2017 The Openstack-Helm Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.serviceaccount_tiller }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: tiller
|
||||
{{- end }}
|
@ -83,6 +83,4 @@ manifests:
|
||||
configmap_bin: true
|
||||
deployment_tiller: true
|
||||
job_image_repo_sync: true
|
||||
rbac_entrypoint: true
|
||||
service_tiller_deploy: true
|
||||
serviceaccount_tiller: true
|
||||
|
Loading…
x
Reference in New Issue
Block a user