Set up cert-manager cluster role for pod security policies
This commit adds a helm chart that deploys a rolebinding to the cert-manager application to allow deployments to the cert-manager namespace after PodSecurityPolicy plugin is enabled on the Kubernetes cluster. Partial-bug: 1878900 Depends-On: https://review.opendev.org/#/c/734408/ Depends-On: https://review.opendev.org/#/c/735998/ Change-Id: I73f91d94d341511b8e43c21d6f01b1cf3e7ad054 Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
This commit is contained in:
parent
3951f352a4
commit
f9df1a933e
|
@ -7,3 +7,4 @@
|
|||
# Helm: Supported charts:
|
||||
# These values match the names in the chart package's Chart.yaml
|
||||
HELM_CHART_CERT_MANAGER = 'cert-manager'
|
||||
HELM_CHART_PSP_ROLEBINDING = 'psp-rolebinding'
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
#
|
||||
# Copyright (c) 2020 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
from k8sapp_cert_manager.common import constants as app_constants
|
||||
|
||||
from sysinv.common import constants
|
||||
from sysinv.common import exception
|
||||
|
||||
from sysinv.helm import base
|
||||
from sysinv.helm import common
|
||||
|
||||
|
||||
class PSPRolebindingHelm(base.BaseHelm):
|
||||
"""Class to encapsulate helm operations for the psp rolebinding chart"""
|
||||
|
||||
SUPPORTED_NAMESPACES = base.BaseHelm.SUPPORTED_NAMESPACES + \
|
||||
[common.HELM_NS_CERT_MANAGER]
|
||||
SUPPORTED_APP_NAMESPACES = {
|
||||
constants.HELM_APP_CERT_MANAGER:
|
||||
base.BaseHelm.SUPPORTED_NAMESPACES + [common.HELM_NS_CERT_MANAGER],
|
||||
}
|
||||
|
||||
CHART = app_constants.HELM_CHART_PSP_ROLEBINDING
|
||||
SERVICE_NAME = 'psp-rolebinding'
|
||||
|
||||
def get_namespaces(self):
|
||||
return self.SUPPORTED_NAMESPACES
|
||||
|
||||
def get_overrides(self, namespace=None):
|
||||
overrides = {
|
||||
common.HELM_NS_CERT_MANAGER: {}
|
||||
}
|
||||
|
||||
if namespace in self.SUPPORTED_NAMESPACES:
|
||||
return overrides[namespace]
|
||||
elif namespace:
|
||||
raise exception.InvalidHelmNamespace(chart=self.CHART,
|
||||
namespace=namespace)
|
||||
else:
|
||||
return overrides
|
|
@ -34,6 +34,7 @@ systemconfig.helm_applications =
|
|||
|
||||
systemconfig.helm_plugins.cert_manager =
|
||||
001_cert-manager = k8sapp_cert_manager.helm.cert_manager:CertMgrHelm
|
||||
002_psp-rolebinding = k8sapp_cert_manager.helm.psp_rolebinding:PSPRolebindingHelm
|
||||
|
||||
[wheel]
|
||||
universal = 1
|
||||
|
|
|
@ -5,3 +5,7 @@ SRC_DIR="stx-cert-manager-helm"
|
|||
TIS_BASE_SRCREV=94d4c26f982e2e8c222517900c504580d1e3a09d
|
||||
TIS_PATCH_VER=GITREVCOUNT
|
||||
|
||||
COPY_LIST_TO_TAR="\
|
||||
$STX_BASE/helm-charts/psp-rolebinding/psp-rolebinding/helm-charts \
|
||||
"
|
||||
|
||||
|
|
|
@ -40,6 +40,11 @@ chartmuseum --debug --port=8879 --context-path='/charts' --storage="local" --sto
|
|||
sleep 2
|
||||
helm repo add local http://localhost:8879/charts
|
||||
|
||||
# Make the charts. These produce a tgz file
|
||||
cd helm-charts
|
||||
make psp-rolebinding
|
||||
cd -
|
||||
|
||||
# terminate helm server (the last backgrounded task)
|
||||
kill %1
|
||||
|
||||
|
@ -52,6 +57,7 @@ mkdir -p %{app_staging}
|
|||
cp files/metadata.yaml %{app_staging}
|
||||
cp manifests/*.yaml %{app_staging}
|
||||
mkdir -p %{app_staging}/charts
|
||||
cp helm-charts/*.tgz %{app_staging}/charts
|
||||
cp %{helm_folder}/cert*.tgz %{app_staging}/charts
|
||||
cd %{app_staging}
|
||||
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
#
|
||||
# Copyright 2017 The Openstack-Helm Authors.
|
||||
#
|
||||
# Copyright (c) 2018 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# It's necessary to set this because some environments don't link sh -> bash.
|
||||
SHELL := /bin/bash
|
||||
TASK := build
|
||||
|
||||
EXCLUDES := helm-toolkit doc tests tools logs tmp
|
||||
CHARTS := helm-toolkit $(filter-out $(EXCLUDES), $(patsubst %/.,%,$(wildcard */.)))
|
||||
|
||||
.PHONY: $(EXCLUDES) $(CHARTS)
|
||||
|
||||
all: $(CHARTS)
|
||||
|
||||
$(CHARTS):
|
||||
@if [ -d $@ ]; then \
|
||||
echo; \
|
||||
echo "===== Processing [$@] chart ====="; \
|
||||
make $(TASK)-$@; \
|
||||
fi
|
||||
|
||||
init-%:
|
||||
if [ -f $*/Makefile ]; then make -C $*; fi
|
||||
if [ -f $*/requirements.yaml ]; then helm dep up $*; fi
|
||||
|
||||
lint-%: init-%
|
||||
if [ -d $* ]; then helm lint $*; fi
|
||||
|
||||
build-%: lint-%
|
||||
if [ -d $* ]; then helm package $*; fi
|
||||
|
||||
clean:
|
||||
@echo "Clean all build artifacts"
|
||||
rm -f */templates/_partials.tpl */templates/_globals.tpl
|
||||
rm -f *tgz */charts/*tgz */requirements.lock
|
||||
rm -rf */charts */tmpcharts
|
||||
|
||||
%:
|
||||
@:
|
|
@ -1,5 +1,35 @@
|
|||
---
|
||||
schema: armada/Chart/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cert-manager-psp-rolebinding
|
||||
data:
|
||||
chart_name: psp-rolebinding
|
||||
release: cert-manager-psp-rolebinding
|
||||
namespace: cert-manager
|
||||
values:
|
||||
rolebindingNamespace: cert-manager
|
||||
serviceAccount: cert-manager
|
||||
source:
|
||||
location: http://172.17.0.1:8080/helm_charts/stx-platform/psp-rolebinding-0.1.0.tgz
|
||||
subpath: psp-rolebinding
|
||||
type: tar
|
||||
reference: master
|
||||
upgrade:
|
||||
no_hooks: false
|
||||
pre:
|
||||
delete:
|
||||
- labels:
|
||||
release_group: cert-manager-psp-rolebinding
|
||||
type: job
|
||||
wait:
|
||||
labels:
|
||||
release_group: cert-manager-psp-rolebinding
|
||||
resources: []
|
||||
timeout: 1800
|
||||
dependencies: []
|
||||
---
|
||||
schema: armada/Chart/v1
|
||||
metadata:
|
||||
schema: metadata/Document/v1
|
||||
name: cert-manager
|
||||
|
@ -95,6 +125,7 @@ data:
|
|||
sequenced: true
|
||||
chart_group:
|
||||
- cert-manager
|
||||
- cert-manager-psp-rolebinding
|
||||
---
|
||||
schema: armada/Manifest/v1
|
||||
metadata:
|
||||
|
|
Loading…
Reference in New Issue