diff --git a/releasenotes/config.yaml b/releasenotes/config.yaml index 98f214ab5..436ae404b 100644 --- a/releasenotes/config.yaml +++ b/releasenotes/config.yaml @@ -54,6 +54,7 @@ sections: - [redis, redis Chart] - [registry, registry Chart] - [shaker, shaker Chart] + - [tiller, tiller Chart] - [features, New Features] - [issues, Known Issues] - [upgrade, Upgrade Notes] diff --git a/releasenotes/notes/tiller.yaml b/releasenotes/notes/tiller.yaml new file mode 100644 index 000000000..55383c410 --- /dev/null +++ b/releasenotes/notes/tiller.yaml @@ -0,0 +1,5 @@ +--- +tiller: + - 0.1.0 Initial Chart + - 0.1.1 Change helm-toolkit dependency version to ">= 0.1.0" +... diff --git a/tiller/Chart.yaml b/tiller/Chart.yaml new file mode 100644 index 000000000..4b845afa5 --- /dev/null +++ b/tiller/Chart.yaml @@ -0,0 +1,25 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +appVersion: v2.16.9 +description: OpenStack-Helm Tiller +name: tiller +version: 0.1.1 +home: https://github.com/kubernetes/helm +sources: + - https://github.com/kubernetes/helm + - https://opendev.org/openstack/openstack-helm +maintainers: + - name: OpenStack-Helm Authors +... diff --git a/tiller/requirements.yaml b/tiller/requirements.yaml new file mode 100644 index 000000000..19b0d6992 --- /dev/null +++ b/tiller/requirements.yaml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: ">= 0.1.0" +... diff --git a/tiller/templates/configmap-bin.yaml b/tiller/templates/configmap-bin.yaml new file mode 100644 index 000000000..d3dae4773 --- /dev/null +++ b/tiller/templates/configmap-bin.yaml @@ -0,0 +1,25 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.configmap_bin }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: tiller-bin +data: + image-repo-sync.sh: | +{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }} +{{- end }} diff --git a/tiller/templates/deployment-tiller.yaml b/tiller/templates/deployment-tiller.yaml new file mode 100644 index 000000000..7cacc69cd --- /dev/null +++ b/tiller/templates/deployment-tiller.yaml @@ -0,0 +1,111 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.deployment_tiller }} +{{- $envAll := . }} + +{{- $serviceAccountName := printf "%s-%s" .Release.Name "tiller" }} +{{ tuple $envAll "tiller" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }} + labels: + app: helm + name: tiller + name: tiller-deploy +spec: + replicas: 1 + selector: + matchLabels: + app: helm + name: tiller + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: helm + name: tiller + annotations: +{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} + configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} + spec: +{{ dict "envAll" $envAll "application" "tiller" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }} + initContainers: +{{ tuple $envAll "tiller" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} + containers: + - env: + - name: TILLER_NAMESPACE + value: {{ .Release.Namespace }} + - name: TILLER_HISTORY_MAX + value: "0" +{{ tuple $envAll "tiller" | include "helm-toolkit.snippets.image" | indent 8 }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /liveness + port: 44135 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: tiller +{{ dict "envAll" $envAll "application" "tiller" "container" "tiller" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 8 }} + ports: + - containerPort: 44134 + name: tiller + protocol: TCP + - containerPort: 44135 + name: metrics + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readiness + port: 44135 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: {{ .Values.pod.dns_policy }} + restartPolicy: Always + schedulerName: default-scheduler + serviceAccount: {{ $serviceAccountName }} + serviceAccountName: {{ $serviceAccountName }} + terminationGracePeriodSeconds: 30 +{{- end }} diff --git a/tiller/templates/job-image-repo-sync.yaml b/tiller/templates/job-image-repo-sync.yaml new file mode 100644 index 000000000..004931493 --- /dev/null +++ b/tiller/templates/job-image-repo-sync.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.manifests.job_image_repo_sync .Values.images.local_registry.active }} +{{- $imageRepoSyncJob := dict "envAll" . "serviceName" "tiller" -}} +{{ $imageRepoSyncJob | include "helm-toolkit.manifests.job_image_repo_sync" }} +{{- end }} diff --git a/tiller/templates/service-tiller-deploy.yaml b/tiller/templates/service-tiller-deploy.yaml new file mode 100644 index 000000000..0b535df07 --- /dev/null +++ b/tiller/templates/service-tiller-deploy.yaml @@ -0,0 +1,45 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.service_tiller_deploy }} +{{- $envAll := . }} +{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.tiller }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: helm + name: tiller + name: tiller-deploy + annotations: +{{- if .Values.monitoring.prometheus.enabled }} +{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_service_annotations" | indent 4 }} +{{- end }} +spec: + ports: + - name: tiller + port: 44134 + protocol: TCP + targetPort: tiller + - name: metrics + port: 44135 + protocol: TCP + targetPort: metrics + selector: + app: helm + name: tiller + sessionAffinity: None + type: ClusterIP +{{- end }} diff --git a/tiller/values.yaml b/tiller/values.yaml new file mode 100644 index 000000000..161e994c5 --- /dev/null +++ b/tiller/values.yaml @@ -0,0 +1,103 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for helm tiller +# This is a YAML-formatted file. +# Declare name/value pairs to be passed into your templates. +# name: value + +--- +labels: + job: + node_selector_key: openstack-control-plane + node_selector_value: enabled + +release_group: null + +images: + tags: + tiller: gcr.io/kubernetes-helm/tiller:v2.16.9 + dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 + image_repo_sync: docker.io/docker:17.07.0 + pull_policy: IfNotPresent + local_registry: + active: false + exclude: + - dep_check + - image_repo_sync + +pod: + dns_policy: "ClusterFirst" + security_context: + tiller: + pod: + runAsUser: 65534 + container: + tiller: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + resources: + enabled: false + jobs: + image_repo_sync: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "1024Mi" + cpu: "2000m" + +dependencies: + dynamic: + common: + local_image_registry: + jobs: + - tiller-image-repo-sync + services: + - endpoint: node + service: local_image_registry + static: + image_repo_sync: + services: + - endpoint: internal + service: local_image_registry + tiller: + services: null + +endpoints: + cluster_domain_suffix: cluster.local + local_image_registry: + name: docker-registry + namespace: docker-registry + hosts: + default: localhost + internal: docker-registry + node: localhost + host_fqdn_override: + default: null + port: + registry: + node: 5000 + +monitoring: + prometheus: + enabled: false + tiller: + scrape: true + port: 44135 + +manifests: + configmap_bin: true + deployment_tiller: true + job_image_repo_sync: true + service_tiller_deploy: true +...