Image local repo jobs and multiple namespace support

This PS introduces support for using a local docker repo to
store images if desired, and adds multiple namespace support
to the entrypoint lookup functions.

Change-Id: Ib51aa30d3cc033795fe13f6c40a57d46171ad586

calico/templates/clusterrole-calico-cni-plugin.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrole_calico_cni_plugin }}
 {{- $envAll := . }}
 ---
 kind: ClusterRole
@@ -27,3 +28,4 @@ rules:
       - nodes
     verbs:
       - get
+{{- end }}

calico/templates/clusterrole-calico-policy-controller.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrole_calico_policy_controller }}
 {{- $envAll := . }}
 ---
 kind: ClusterRole
@@ -31,3 +32,4 @@ rules:
     verbs:
       - watch
       - list
+{{- end }}

calico/templates/clusterrolebinding-calico-cni-plugin.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrolebinding_calico_cni_plugin }}
 {{- $envAll := . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -28,3 +29,4 @@ subjects:
   - kind: ServiceAccount
     name: calico-cni-plugin
     namespace: {{ .Release.Namespace }}
+{{- end }}

calico/templates/clusterrolebinding-calico-policy-controller.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrolebinding_calico_policy_controller }}
 {{- $envAll := . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -28,3 +29,4 @@ subjects:
   - kind: ServiceAccount
     name: calico-policy-controller
     namespace: {{ .Release.Namespace }}
+{{- end }}

calico/templates/configmap-bin.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: calico-bin
+data:
+  image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}

calico/templates/configmap-calico-config.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.configmap_calico_config }}
 {{- $envAll := . }}
 ---
 # This ConfigMap is used to configure a self-hosted Calico installation.
@@ -50,3 +51,4 @@ data:
             "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
         }
     }
+{{- end }}

calico/templates/daemonset-calico-etcd.yaml

@@ -14,7 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.daemonset_calico_etcd }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.etcd .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}}
+{{- end -}}
 ---
 # This manifest installs the Calico etcd on the kubeadm master.  This uses a DaemonSet
 # to force it to run on the master even when the master isn't schedulable, and uses
@@ -49,6 +55,8 @@ spec:
       nodeSelector:
         node-role.kubernetes.io/master: ""
       hostNetwork: true
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: calico-etcd
 {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -68,6 +76,8 @@ spec:
             - name: var-etcd
               mountPath: /var/etcd
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         - name: var-etcd
           hostPath:
             path: /var/etcd
+{{- end }}

calico/templates/daemonset-calico-node.yaml

@@ -14,8 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.daemonset_calico_node }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.calico_node }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.calico_node .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}}
+{{- end -}}
 ---
 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on
@@ -54,7 +59,7 @@ spec:
           operator: Exists
       serviceAccountName: calico-cni-plugin
       initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         # Runs calico/node container on each Kubernetes node.  This
         # container programs network policy and routes on each
@@ -155,6 +160,7 @@ spec:
             - mountPath: /host/etc/cni/net.d
               name: cni-net-dir
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         # Used by calico/node.
         - name: lib-modules
           hostPath:
@@ -169,4 +175,4 @@ spec:
         - name: cni-net-dir
           hostPath:
             path: /etc/cni/net.d
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}

calico/templates/deployment-calico-policy-controller.yaml

@@ -14,8 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment_calico_policy_controller }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.calico_policy_controller }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.calico_policy_controller .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
+{{- end -}}
 ---
 # This manifest deploys the Calico policy controller on Kubernetes.
 # See https://github.com/projectcalico/k8s-policy
@@ -55,7 +60,7 @@ spec:
         operator: Exists
       serviceAccountName: calico-policy-controller
       initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: calico-policy-controller
 {{ tuple $envAll "calico_kube_policy_controller" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -77,3 +82,4 @@ spec:
               value: "true"
       volumes:
 {{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}

calico/templates/job-image-repo-sync.yaml

@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: calico-image-repo-sync
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+          command:
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: calico-bin
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+      volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+        - name: calico-bin
+          configMap:
+            name: calico-bin
+            defaultMode: 0555
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- end }}
+{{- end }}

calico/templates/rbac-entrypoint.yaml

@@ -14,4 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.rbac_entrypoint }}
 {{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

calico/templates/service-calico-etcd.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.service_calico_etcd }}
 {{- $envAll := . }}
 ---
 # This manifest installs the Service which gets traffic to the Calico
@@ -35,3 +36,4 @@ spec:
   clusterIP: 10.96.232.136
   ports:
     - port: {{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{- end }}

calico/templates/serviceaccount-calico-cni-plugin.yaml

@@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_calico_cni_plugin }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: calico-cni-plugin
+{{- end }}

calico/templates/serviceaccount-calico-policy-controller.yaml

@@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_calico_policy_controller }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: calico-policy-controller
+{{- end }}

calico/values.yaml

@@ -20,6 +20,10 @@
 #   calico/cni:v1.10.0
 #   calico/kube-policy-controller:v0.7.0
 
+labels:
+  node_selector_key: openstack-control-plane
+  node_selector_value: enabled
+
 images:
   tags:
     calico_etcd: quay.io/coreos/etcd:v3.1.10
@@ -27,11 +31,33 @@ images:
     calico_cni: quay.io/calico/cni:v1.10.0
     calico_kube_policy_controller: quay.io/calico/kube-policy-controller:v0.7.0
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+    image_repo_sync: docker.io/docker:17.07.0
   pull_policy: IfNotPresent
-  registry:
-    prefix: null
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+      - calico_etcd
+      - calico_node
+      - calico_cni
+      - calico_kube_policy_controller
+
+pod:
+  resources:
+    enabled: false
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
 
 dependencies:
+  etcd:
+    services: null
   calico_node:
     services:
     - service: etcd
@@ -41,8 +67,28 @@ dependencies:
     - service: etcd
       endpoint: internal
 
+conditional_dependencies:
+  local_image_registry:
+    jobs:
+      - calico-image-repo-sync
+    services:
+      - service: local_image_registry
+        endpoint: node
+
 endpoints:
   cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
   etcd:
     hosts:
       default: calico-etcd
@@ -56,3 +102,19 @@ endpoints:
 
 networking:
   podSubnet: 192.168.0.0/16
+
+manifests:
+  clusterrole_calico_cni_plugin: true
+  clusterrole_calico_policy_controller: true
+  clusterrolebinding_calico_cni_plugin: true
+  clusterrolebinding_calico_policy_controller: true
+  configmap_bin: true
+  configmap_calico_config: true
+  daemonset_calico_etcd: true
+  daemonset_calico_node: true
+  deployment_calico_policy_controller: true
+  job_image_repo_sync: true
+  rbac_entrypoint: true
+  service_calico_etcd: true
+  serviceaccount_calico_cni_plugin: true
+  serviceaccount_calico_policy_controller: true

flannel/templates/clusterrole-flannel.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrole_flannel }}
 {{- $envAll := . }}
 ---
 kind: ClusterRole
@@ -40,3 +41,4 @@ rules:
       - nodes/status
     verbs:
       - patch
+{{- end }}

flannel/templates/clusterrolebinding-flannel.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrolebinding_flannel }}
 {{- $envAll := . }}
 ---
 kind: ClusterRoleBinding
@@ -28,3 +29,4 @@ subjects:
 - kind: ServiceAccount
   name: flannel
   namespace: {{ .Release.Namespace }}
+{{- end }}

flannel/templates/configmap-bin.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: flannel-bin
+data:
+  image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}

flannel/templates/configmap-kube-flannel-cfg.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.configmap_kube_flannel_cfg }}
 {{- $envAll := . }}
 ---
 kind: ConfigMap
@@ -39,3 +40,4 @@ data:
         "Type": "vxlan"
       }
     }
+{{- end }}

flannel/templates/daemonset-kube-flannel-ds.yaml

@@ -14,7 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.daemonset_kube_flannel_ds }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.flannel .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}}
+{{- end -}}
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@@ -40,6 +46,8 @@ spec:
           operator: Exists
           effect: NoSchedule
       serviceAccountName: flannel
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: kube-flannel
 {{ tuple $envAll "flannel" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -69,6 +77,7 @@ spec:
             - name: flannel-cfg
               mountPath: /etc/kube-flannel/
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         - name: run
           hostPath:
             path: /run
@@ -78,3 +87,4 @@ spec:
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
+{{- end }}

flannel/templates/job-image-repo-sync.yaml

@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: flannel-image-repo-sync
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "flannel" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+          command:
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: flannel-bin
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+      volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+        - name: flannel-bin
+          configMap:
+            name: flannel-bin
+            defaultMode: 0555
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{- end }}
+{{- end }}

flannel/templates/rbac-entrypoint.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.rbac_entrypoint }}
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

flannel/templates/serviceaccount-flannel.yaml

@@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_flannel }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: flannel
+{{- end }}

flannel/values.yaml

@@ -14,12 +14,74 @@
 
 # https://raw.githubusercontent.com/coreos/flannel/v0.8.0/Documentation/kube-flannel.yml
 
+labels:
+  node_selector_key: openstack-control-plane
+  node_selector_value: enabled
+
 images:
   tags:
     flannel: quay.io/coreos/flannel:v0.8.0-amd64
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+    image_repo_sync: docker.io/docker:17.07.0
   pull_policy: IfNotPresent
-  registry:
-    prefix: null
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+      - flannel
+
+pod:
+  resources:
+    enabled: false
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
 
 networking:
   podSubnet: 192.168.0.0/16
+
+dependencies:
+  flannel:
+    services: null
+  image_repo_sync:
+    services:
+      - service: local_image_registry
+        endpoint: internal
+
+conditional_dependencies:
+  local_image_registry:
+    jobs:
+      - flannel-image-repo-sync
+    services:
+      - service: local_image_registry
+        endpoint: node
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+manifests:
+  clusterrole_flannel: true
+  clusterrolebinding_flannel: true
+  configmap_bin: true
+  configmap_kube_flannel_cfg: true
+  daemonset_kube_flannel_ds: true
+  job_image_repo_sync: true
+  rbac_entrypoint: true

helm-toolkit/templates/endpoints/_service_name_endpoint_with_namespace_lookup.tpl

@@ -0,0 +1,34 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+# This function returns endpoint "<namespace>:<name>" pair from an endpoint
+# definition. This is used in kubernetes-entrypoint to support dependencies
+# between different services in different namespaces.
+# returns: the endpoint namespace and the service name, delimited by a colon
+
+{{- define "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" -}}
+{{- $type := index . 0 -}}
+{{- $endpoint := index . 1 -}}
+{{- $context := index . 2 -}}
+{{- $typeYamlSafe := $type | replace "-" "_" }}
+{{- $endpointMap := index $context.Values.endpoints $typeYamlSafe }}
+{{- with $endpointMap -}}
+{{- $endpointScheme := .scheme }}
+{{- $endpointName := index .hosts $endpoint | default .hosts.default}}
+{{- $endpointNamespace := .namespace | default $context.Release.Namespace }}
+{{- printf "%s:%s" $endpointNamespace $endpointName -}}
+{{- end -}}
+{{- end -}}

helm-toolkit/templates/scripts/_image-repo-sync.sh.tpl

@@ -0,0 +1,26 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.scripts.image_repo_sync" }}
+#!/bin/sh
+set -ex
+
+IFS=','; for IMAGE in ${IMAGE_SYNC_LIST}; do
+  docker pull ${IMAGE}
+  docker tag ${IMAGE} ${LOCAL_REPO}/${IMAGE}
+  docker push ${LOCAL_REPO}/${IMAGE}
+done
+{{- end }}

helm-toolkit/templates/snippets/_image.tpl

@@ -18,8 +18,9 @@ limitations under the License.
 {{- $envAll := index . 0 -}}
 {{- $image := index . 1 -}}
 {{- $imageTag := index $envAll.Values.images.tags $image -}}
-{{- if $envAll.Values.images.registry.prefix -}}
-image: {{ printf "%s/%s" $envAll.Values.images.registry.prefix $imageTag | quote }}
+{{- if and ($envAll.Values.images.local_registry.active) (not (has $image $envAll.Values.images.local_registry.exclude )) -}}
+{{- $registryPrefix := printf "%s:%s" (tuple "local_image_registry" "node" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup") (tuple "local_image_registry" "node" "registry" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup") -}}
+image: {{ printf "%s/%s" $registryPrefix $imageTag | quote }}
 {{- else -}}
 image: {{ $imageTag | quote }}
 {{- end }}

helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl

@@ -21,8 +21,7 @@ limitations under the License.
 {{- $mountServiceAccount := dict "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" "name" "entrypoint-serviceaccount-secret" "readOnly" true -}}
 {{- $mountsEntrypoint := append $mounts $mountServiceAccount -}}
 - name: init
-  image: {{ $envAll.Values.images.tags.dep_check }}
-  imagePullPolicy: {{ $envAll.Values.images.pull_policy }}
+{{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
   env:
     - name: POD_NAME
       valueFrom:
@@ -37,7 +36,7 @@ limitations under the License.
     - name: INTERFACE_NAME
       value: eth0
     - name: DEPENDENCY_SERVICE
-      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_hostname_list" }}"
+      value: "{{ tuple $deps.services $envAll | include "helm-toolkit.utils.comma_joined_service_list" }}"
     - name: DEPENDENCY_JOBS
       value: "{{  include "helm-toolkit.utils.joinListWithComma" $deps.jobs }}"
     - name: DEPENDENCY_DAEMONSET

helm-toolkit/templates/utils/_comma_joined_service_list.tpl

@@ -14,8 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
-{{- define "helm-toolkit.utils.comma_joined_hostname_list" -}}
+{{- define "helm-toolkit.utils.comma_joined_service_list" -}}
 {{- $deps := index . 0 -}}
 {{- $envAll := index . 1 -}}
-{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}{{- end -}}
+{{- range $k, $v := $deps -}}{{- if $k -}},{{- end -}}{{ tuple $v.service $v.endpoint $envAll | include "helm-toolkit.endpoints.service_name_endpoint_with_namespace_lookup" }}{{- end -}}
 {{- end -}}

helm-toolkit/templates/utils/_image_sync_list.tpl

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.utils.image_sync_list" -}}
+{{- $imageExcludeList := .Values.images.local_registry.exclude -}}
+{{- $imageDict := .Values.images.tags -}}
+{{- $local := dict "first" true -}}
+{{- range $k, $v := $imageDict -}}
+{{- if not $local.first -}},{{- end -}}
+{{- if (not (has $k $imageExcludeList )) -}}
+{{- index $imageDict $k -}}
+{{- $_ := set $local "first" false -}}
+{{- end -}}{{- end -}}
+{{- end -}}

kube-dns/templates/configmap-bin.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kube-dns-bin
+data:
+  image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}

kube-dns/templates/configmap-kube-dns.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.configmap_kube_dns }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -22,3 +23,4 @@ metadata:
   name: kube-dns
   labels:
     addonmanager.kubernetes.io/mode: EnsureExists
+{{- end }}

kube-dns/templates/deployment-kube-dns.yaml

@@ -14,7 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment_kube_dns }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.kube_dns .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_dns -}}
+{{- end -}}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -181,8 +187,10 @@ spec:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 6 }}
       - configMap:
           defaultMode: 420
           name: kube-dns
           optional: true
         name: kube-dns-config
+{{- end }}

kube-dns/templates/job-image-repo-sync.yaml

@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-dns-image-repo-sync
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "kube-dns" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+          command:
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: kube-dns-bin
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+      volumes:
+        - name: kube-dns-bin
+          configMap:
+            name: kube-dns-bin
+            defaultMode: 0555
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}
+{{- end }}

kube-dns/templates/rbac-entrypoint.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.rbac_entrypoint }}
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

kube-dns/templates/service-kube-dns.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.service_kube_dns }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -41,3 +42,4 @@ spec:
   selector:
     k8s-app: kube-dns
 {{ tuple $envAll "kubernetes" "dns" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}

kube-dns/templates/serviceaccount-kube-dns.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_kube_dns }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -23,3 +24,4 @@ metadata:
   labels:
     kubernetes.io/cluster-service: "true"
     addonmanager.kubernetes.io/mode: Reconcile
+{{- end }}

kube-dns/values.yaml

@@ -14,15 +14,76 @@
 
 # https://raw.githubusercontent.com/coreos/flannel/v0.8.0/Documentation/kube-flannel.yml
 
+labels:
+  node_selector_key: openstack-control-plane
+  node_selector_value: enabled
+
 images:
   tags:
     kube_dns: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5
     kube_dns_nanny: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5
     kube_dns_sidecar: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+    image_repo_sync: docker.io/docker:17.07.0
   pull_policy: IfNotPresent
-  registry:
-    prefix: null
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+pod:
+  resources:
+    enabled: false
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
 
 networking:
   dnsDomain: cluster.local
   dnsIP: 10.96.0.10
+
+dependencies:
+  kube_dns:
+    services: null
+  image_repo_sync:
+    services:
+      - service: local_image_registry
+        endpoint: internal
+
+conditional_dependencies:
+  local_image_registry:
+    jobs:
+      - kube-dns-image-repo-sync
+    services:
+      - service: local_image_registry
+        endpoint: node
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+manifests:
+  configmap_bin: true
+  configmap_kube_dns: true
+  deployment_kube_dns: true
+  job_image_repo_sync: true
+  rbac_entrypoint: true
+  service_kube_dns: true
+  serviceaccount_kube_dns: true

nfs-provisioner/templates/configmap-bin.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nfs-bin
+data:
+  image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}

nfs-provisioner/templates/deployment.yaml

@@ -16,6 +16,11 @@ limitations under the License.
 
 {{- if .Values.manifests.deployment }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.nfs .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}}
+{{- end -}}
 ---
 kind: Deployment
 apiVersion: apps/v1beta1
@@ -34,6 +39,8 @@ spec:
 {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: nfs-provisioner
 {{ tuple $envAll "nfs_provisioner" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -71,6 +78,7 @@ spec:
             - name: export-volume
               mountPath: /export
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         - name: export-volume
           hostPath:
             path: {{ .Values.storage.host.host_path }}

nfs-provisioner/templates/job-image-repo-sync.yaml

@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: nfs-image-repo-sync
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+          command:
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: nfs-bin
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+      volumes:
+        - name: nfs-bin
+          configMap:
+            name: nfs-bin
+            defaultMode: 0555
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}
+{{- end }}

nfs-provisioner/templates/rbac-entrypoint.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.rbac_entrypoint }}
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

nfs-provisioner/values.yaml

@@ -35,13 +35,26 @@ pod:
       limits:
         memory: "1024Mi"
         cpu: "2000m"
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
 
 images:
   tags:
     nfs_provisioner: quay.io/kubernetes_incubator/nfs-provisioner:v1.0.8
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+    image_repo_sync: docker.io/docker:17.07.0
   pull_policy: IfNotPresent
-  registry:
-    prefix: null
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
 
 storage:
   host:
@@ -55,8 +68,36 @@ storageclass:
   provisioner: example.com/nfs
   name: general
 
+dependencies:
+  nfs:
+    services: null
+  image_repo_sync:
+    services:
+      - service: local_image_registry
+        endpoint: internal
+
+conditional_dependencies:
+  local_image_registry:
+    jobs:
+      - nfs-image-repo-sync
+    services:
+      - service: local_image_registry
+        endpoint: node
+
 endpoints:
   cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
   nfs:
     hosts:
       default: nfs-provisioner
@@ -69,6 +110,9 @@ endpoints:
         default: null
 
 manifests:
+  configmap_bin: true
   deployment: true
+  job_image_repo_sync: true
+  rbac_entrypoint: true
   service: true
   storage_class: true

redis/templates/configmap-bin.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-bin
+data:
+  image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}

redis/templates/deployment.yaml

@@ -14,7 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.redis .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.redis -}}
+{{- end -}}
 ---
 apiVersion: apps/v1beta1
 kind: Deployment
@@ -32,16 +38,21 @@ spec:
 {{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: redis
 {{ tuple $envAll "redis" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
-          command: ["sh", "-xec"]
-          args:
-            - |
-              exec redis-server --port {{ .Values.network.port }}
+          command:
+            - redis-server
+            - --port
+            - {{ .Values.network.port | quote }}
           ports:
             - containerPort: {{ .Values.network.port }}
           readinessProbe:
             tcpSocket:
               port: {{ .Values.network.port }}
+      volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}

redis/templates/job-image-repo-sync.yaml

@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: redis-image-repo-sync
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "redis" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+          command:
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: redis-bin
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+      volumes:
+        - name: redis-bin
+          configMap:
+            name: redis-bin
+            defaultMode: 0555
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}
+{{- end }}

redis/templates/rbac-entrypoint.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.rbac_entrypoint }}
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

redis/templates/service.yaml

@@ -13,6 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */}}
+
+{{- if .Values.manifests.service }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -25,3 +27,4 @@ spec:
     - port: {{ .Values.network.port }}
   selector:
 {{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}

redis/values.yaml

@@ -20,17 +20,22 @@
 images:
   tags:
     redis: docker.io/redis:4.0.1
-  pull_policy: "IfNotPresent"
-  registry:
-    prefix: null
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: IfNotPresent
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
 
 pod:
   affinity:
-      anti:
-        type:
-          default: preferredDuringSchedulingIgnoredDuringExecution
-        topologyKey:
-          default: kubernetes.io/hostname
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
   replicas:
     server: 1
   lifecycle:
@@ -50,6 +55,14 @@ pod:
       requests:
         memory: "128Mi"
         cpu: "500m"
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
 
 labels:
   node_selector_key: openstack-control-plane
@@ -57,3 +70,41 @@ labels:
 
 network:
   port: 6379
+
+dependencies:
+  redis:
+    services: null
+  image_repo_sync:
+    services:
+      - service: local_image_registry
+        endpoint: internal
+
+conditional_dependencies:
+  local_image_registry:
+    jobs:
+      - redis-image-repo-sync
+    services:
+      - service: local_image_registry
+        endpoint: node
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+manifests:
+  configmap_bin: true
+  deployment: true
+  job_image_repo_sync: true
+  rbac_entrypoint: true
+  service: true

registry/templates/configmap-etc.yaml

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
-{{- if .Values.manifests.configmap_bin }}
+{{- if .Values.manifests.configmap_etc }}
 {{- $envAll := . }}
 
 {{- if empty .Values.conf.registry.http.addr -}}

registry/templates/daemonset-registry-proxy.yaml

@@ -16,7 +16,11 @@ limitations under the License.
 
 {{- if .Values.manifests.daemonset_registry_proxy }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.registry_proxy }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.registry_proxy .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry_proxy -}}
+{{- end -}}
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@@ -36,7 +40,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
       - name: registry-proxy
 {{ tuple $envAll "registry_proxy" | include "helm-toolkit.snippets.image" | indent 8 }}
@@ -53,6 +57,7 @@ spec:
             subPath: default.conf
             readOnly: true
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         - name: registry-bin
           configMap:
             name: registry-bin
@@ -61,5 +66,4 @@ spec:
           configMap:
             name: registry-etc
             defaultMode: 0444
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}

registry/templates/deployment-registry.yaml

@@ -16,7 +16,11 @@ limitations under the License.
 
 {{- if .Values.manifests.deployment_registry }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.registry }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.registry .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.registry -}}
+{{- end -}}
 ---
 apiVersion: apps/v1beta1
 kind: Deployment
@@ -38,7 +42,7 @@ spec:
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
       initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
         - name: registry
 {{ tuple $envAll "registry" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -60,6 +64,7 @@ spec:
           - name: docker-images
             mountPath: {{ .Values.conf.registry.storage.filesystem.rootdirectory }}
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         - name: registry-bin
           configMap:
             name: registry-bin
@@ -71,5 +76,4 @@ spec:
         - name: docker-images
           persistentVolumeClaim:
             claimName: docker-images
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}

registry/templates/job-bootstrap.yaml

@@ -17,7 +17,11 @@ limitations under the License.
 {{- if .Values.manifests.job_bootstrap }}
 {{- $envAll := . }}
 {{- if .Values.bootstrap.enabled }}
-{{- $dependencies := .Values.dependencies.bootstrap }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.bootstrap .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.bootstrap -}}
+{{- end -}}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -33,7 +37,7 @@ spec:
       nodeSelector:
         {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
       initContainers:
-{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
       containers:
         - name: docker-bootstrap
 {{ tuple $envAll "bootstrap" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -53,6 +57,7 @@ spec:
             - name: docker-socket
               mountPath: /var/run/docker.sock
       volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
         - name: registry-bin
           configMap:
             name: registry-bin
@@ -60,6 +65,5 @@ spec:
         - name: docker-socket
           hostPath:
             path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}

registry/templates/rbac-entrypoint.yaml

@@ -14,4 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.rbac_entrypoint }}
 {{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

registry/values.yaml

@@ -30,8 +30,10 @@ images:
     bootstrap: docker.io/docker:17.07.0
     dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
   pull_policy: "IfNotPresent"
-  registry:
-    prefix: null
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
 
 volume:
   class_name: general
@@ -115,7 +117,7 @@ bootstrap:
   script:
     docker info
   preload_images:
-    - gcr.io/google_containers/ubuntu-slim:0.14
+    - quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
 
 dependencies:
   registry:
@@ -135,16 +137,27 @@ dependencies:
 
 endpoints:
   cluster_domain_suffix: cluster.local
-  docker_registry:
+  local_image_registry:
     name: docker-registry
+    namespace: docker-registry
     hosts:
-      default: docker-registry
+      default: localhost
+      internal: docker-registry
+      node: localhost
     host_fqdn_override:
       default: null
-    path:
+    port:
+      registry:
+        default: 5000
+  docker_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
       default: null
-    scheme:
-      default: http
     port:
       registry:
         default: 5000
@@ -160,8 +173,11 @@ endpoints:
 
 manifests:
   configmap_bin: true
+  configmap_etc: true
   daemonset_registry_proxy: true
   deployment_registry: true
   job_bootstrap: true
+  job_image_repo_sync: true
   pvc_images: true
+  rbac_entrypoint: true
   service_registry: true

tiller/templates/clusterrolebinding-tiller.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.clusterrolebinding_tiller }}
 {{- $envAll := . }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -28,3 +29,4 @@ subjects:
 - kind: ServiceAccount
   name: tiller
   namespace: {{ .Release.Namespace }}
+{{- end }}

tiller/templates/configmap-bin.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tiller-bin
+data:
+  image-repo-sync.sh: |+
+{{- include "helm-toolkit.scripts.image_repo_sync" . | indent 4 }}
+{{- end }}

tiller/templates/deployment-tiller.yaml

@@ -14,7 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.deployment_tiller }}
 {{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" (merge .Values.dependencies.tiller .Values.conditional_dependencies.local_image_registry) -}}
+{{- else -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}}
+{{- end -}}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -40,6 +46,8 @@ spec:
         app: helm
         name: tiller
     spec:
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
       containers:
       - env:
         - name: TILLER_NAMESPACE
@@ -82,3 +90,6 @@ spec:
       serviceAccount: tiller
       serviceAccountName: tiller
       terminationGracePeriodSeconds: 30
+      volumes:
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}

tiller/templates/job-image-repo-sync.yaml

@@ -0,0 +1,65 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.job_image_repo_sync }}
+{{- $envAll := . }}
+{{- if .Values.images.local_registry.active -}}
+{{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tiller-image-repo-sync
+spec:
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "tiller" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      restartPolicy: OnFailure
+      nodeSelector:
+        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
+      initContainers:
+{{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 8 }}
+      containers:
+        - name: image-repo-sync
+{{ tuple $envAll "image_repo_sync" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.image_repo_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          env:
+            - name: LOCAL_REPO
+              value: "{{ tuple "local_image_registry" "node" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}:{{ tuple "local_image_registry" "node" "registry" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}"
+            - name: IMAGE_SYNC_LIST
+              value: "{{ include "helm-toolkit.utils.image_sync_list" . }}"
+          command:
+            - /tmp/image-repo-sync.sh
+          volumeMounts:
+            - name: tiller-bin
+              mountPath: /tmp/image-repo-sync.sh
+              subPath: image-repo-sync.sh
+              readOnly: true
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+      volumes:
+        - name: tiller-bin
+          configMap:
+            name: tiller-bin
+            defaultMode: 0555
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
+{{- end }}
+{{- end }}

tiller/templates/rbac-entrypoint.yaml

@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.rbac_entrypoint }}
+{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
+{{- end }}

tiller/templates/service-tiller-deploy.yaml

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.service_tiller_deploy }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
@@ -34,3 +35,4 @@ spec:
     name: tiller
   sessionAffinity: None
   type: ClusterIP
+{{- end }}

tiller/templates/serviceaccount-tiller.yaml

@@ -14,9 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}
 
+{{- if .Values.manifests.serviceaccount_tiller }}
 {{- $envAll := . }}
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: tiller
+{{- end }}

tiller/values.yaml

@@ -26,6 +26,63 @@ release_group: null
 images:
   tags:
     tiller: gcr.io/kubernetes-helm/tiller:v2.7.0-rc1
-  pull_policy: "IfNotPresent"
-  registry:
-    prefix: null
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: IfNotPresent
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+pod:
+  resources:
+    enabled: false
+    jobs:
+      image_repo_sync:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "1024Mi"
+          cpu: "2000m"
+
+dependencies:
+  tiller:
+    services: null
+  image_repo_sync:
+    services:
+      - service: local_image_registry
+        endpoint: internal
+
+conditional_dependencies:
+  local_image_registry:
+    jobs:
+      - tiller-image-repo-sync
+    services:
+      - service: local_image_registry
+        endpoint: node
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  local_image_registry:
+    name: docker-registry
+    namespace: docker-registry
+    hosts:
+      default: localhost
+      internal: docker-registry
+      node: localhost
+    host_fqdn_override:
+      default: null
+    port:
+      registry:
+        node: 5000
+
+manifests:
+  clusterrolebinding_tiller: true
+  configmap_bin: true
+  deployment_tiller: true
+  job_image_repo_sync: true
+  rbac_entrypoint: true
+  service_tiller_deploy: true
+  serviceaccount_tiller: true

tools/gate/playbooks/deploy-helm-packages/tasks/generate-dynamic-over-rides.yaml

@@ -13,20 +13,7 @@
 # This set of tasks creates over-rides that need to be generated dyamicly and
 # injected at runtime.
 
-- name: Ensure docker python packages deployed
-  include_role:
-    name: deploy-package
-    tasks_from: pip
-  vars:
-    packages:
-      - yq
-
 - name: setup directorys on host
   file:
     path: "{{ work_dir }}/tools/gate/local-overrides/"
     state: directory
-
-- name: generate overides for bootstrap-registry-registry release
-  shell: "./tools/image-repo-overides.sh > ./tools/gate/local-overrides/bootstrap-registry-registry.yaml"
-  args:
-    chdir: "{{ work_dir }}"

tools/gate/playbooks/vars.yaml

@@ -50,18 +50,18 @@ nodes:
         value: enabled
 
 chart_groups:
-  - name: bootstrap_registry
+  - name: docker_registry
     timeout: 600
     charts:
-      - bootstrap_registry_nfs_provisioner
-      - bootstrap_registry_redis
-      - bootstrap_registry_registry
+      - docker_registry_nfs_provisioner
+      - docker_registry_redis
+      - docker_registry
 
 charts:
-  bootstrap_registry_nfs_provisioner:
+  docker_registry_nfs_provisioner:
     chart_name: nfs-provisioner
-    release: bootstrap-registry-nfs-provisioner
-    namespace: bootstrap-registry
+    release: docker-registry-nfs-provisioner
+    namespace: docker-registry
     upgrade:
       pre:
         delete:
@@ -77,19 +77,19 @@ charts:
       storageclass:
         name: openstack-helm-bootstrap
 
-  bootstrap_registry_redis:
+  docker_registry_redis:
     chart_name: redis
-    release: bootstrap-registry-redis
-    namespace: bootstrap-registry
+    release: docker-registry-redis
+    namespace: docker-registry
     values:
       labels:
         node_selector_key: openstack-helm-node-class
         node_selector_value: primary
 
-  bootstrap_registry_registry:
+  docker_registry:
     chart_name: registry
-    release: bootstrap-registry-registry
-    namespace: bootstrap-registry
+    release: docker-registry
+    namespace: docker-registry
     values:
       labels:
         node_selector_key: openstack-helm-node-class

tools/gate/playbooks/zuul-pre.yaml

@@ -59,8 +59,17 @@
   gather_facts: False
   become: yes
   roles:
-    - pull-images
     - build-images
   tags:
-    - pull-images
     - build-images
+
+- hosts: primary
+  vars_files:
+    - vars.yaml
+  vars:
+    work_dir: "{{ zuul.project.src_dir }}"
+  gather_facts: True
+  roles:
+    - pull-images
+  tags:
+    - pull-images