From 4153e6429ed643912c595d64c6cca3e64af156c4 Mon Sep 17 00:00:00 2001 From: Alan Meadows Date: Wed, 22 Mar 2017 12:13:39 -0700 Subject: [PATCH] move all containers into their own mount namespace; fix typos in new configmap logic --- .../snippets/_k8s_init_dep_check.tpl | 6 +- keystone/templates/configmap-etc.yaml | 2 +- keystone/templates/deployment.yaml | 11 +- keystone/templates/etc/_policy.json.tpl | 2 + keystone/templates/job-db-init.yaml | 10 +- keystone/templates/job-db-sync.yaml | 9 +- keystone/values.yaml | 148 +++++++++--------- 7 files changed, 100 insertions(+), 88 deletions(-) diff --git a/helm-toolkit/templates/snippets/_k8s_init_dep_check.tpl b/helm-toolkit/templates/snippets/_k8s_init_dep_check.tpl index 18896da884..147ad1a5a8 100644 --- a/helm-toolkit/templates/snippets/_k8s_init_dep_check.tpl +++ b/helm-toolkit/templates/snippets/_k8s_init_dep_check.tpl @@ -15,6 +15,7 @@ {{- define "helm-toolkit.kubernetes_entrypoint_init_container" -}} {{- $envAll := index . 0 -}} {{- $deps := index . 1 -}} +{{- $mounts := index . 2 -}} { "name": "init", "image": {{ $envAll.Values.images.dep_check | quote }}, @@ -48,7 +49,7 @@ }, { "name": "DEPENDENCY_SERVICE", - "value": "{{ include "helm-toolkit.joinListWithComma" $deps.service }}" + "value": "{{ include "helm-toolkit.joinListWithComma" $deps.service }}" }, { "name": "DEPENDENCY_JOBS", @@ -66,6 +67,7 @@ "name": "COMMAND", "value": "echo done" } - ] + ], +"volumeMounts": {{ $mounts | quote | default "[]"}} } {{- end -}} diff --git a/keystone/templates/configmap-etc.yaml b/keystone/templates/configmap-etc.yaml index b51a383057..0f3ac29bf9 100644 --- a/keystone/templates/configmap-etc.yaml +++ b/keystone/templates/configmap-etc.yaml @@ -48,7 +48,7 @@ data: {{ .Values.conf.policy.override }} {{- else -}} {{ tuple "etc/_policy.json.tpl" . | include "helm-toolkit.template" | indent 4 }} -{{- end -}} +{{- end }} mpm_event.conf: |+ {{ tuple "etc/_mpm_event.conf.tpl" . | include "helm-toolkit.template" | indent 4 }} wsgi-keystone.conf: |+ diff --git a/keystone/templates/deployment.yaml b/keystone/templates/deployment.yaml index f0e416ca88..d730ce6d96 100644 --- a/keystone/templates/deployment.yaml +++ b/keystone/templates/deployment.yaml @@ -11,10 +11,10 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} -{{- $mounts := .Values.mounts.api }} +{{- $mounts_keystone_api := .Values.mounts.keystone_api.keystone_api }} +{{- $mounts_keystone_api_init := .Values.mounts.keystone_api.init_container }} apiVersion: extensions/v1beta1 kind: Deployment @@ -38,7 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.hash" }} pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_keystone_api_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: nodeSelector: @@ -75,7 +75,6 @@ spec: tcpSocket: port: {{ .Values.network.port.api }} volumeMounts: -{{ toYaml $mounts.volumeMounts | indent 12 }} +{{ toYaml $mounts_keystone_api.volumeMounts | indent 12 }} volumes: -{{ toYaml $mounts.volumes | indent 8 }} - +{{ toYaml $mounts_keystone_api.volumes | indent 8 }} \ No newline at end of file diff --git a/keystone/templates/etc/_policy.json.tpl b/keystone/templates/etc/_policy.json.tpl index ec2fc1bd1e..f7e8a82963 100644 --- a/keystone/templates/etc/_policy.json.tpl +++ b/keystone/templates/etc/_policy.json.tpl @@ -195,3 +195,5 @@ "identity:update_domain_config": "rule:admin_required", "identity:delete_domain_config": "rule:admin_required", "identity:get_domain_config_default": "rule:admin_required" + +} diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 0dcab9a6f1..574899d632 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -14,7 +14,9 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.init }} -{{- $mounts := .Values.mounts.job_db_init }} +{{- $mounts_keystone_db_init := .Values.mounts.keystone_db_init.keystone_db_init }} +{{- $mounts_keystone_db_init_init := .Values.mounts.keystone_db_init.init_container }} + apiVersion: batch/v1 kind: Job metadata: @@ -24,7 +26,7 @@ spec: metadata: annotations: pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_keystone_db_init_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: restartPolicy: OnFailure @@ -47,7 +49,7 @@ spec: - bash - /tmp/init.sh volumeMounts: -{{ toYaml $mounts.volumeMounts | indent 12 }} +{{ toYaml $mounts_keystone_db_init.volumeMounts | indent 12 }} volumes: -{{ toYaml $mounts.volumes | indent 8 }} +{{ toYaml $mounts_keystone_db_init.volumes | indent 8 }} diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index 1f2db0b85a..02d0328ef2 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -14,7 +14,8 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} -{{- $mounts := .Values.mounts.job_db_sync }} +{{- $mounts_keystone_db_sync := .Values.mounts.keystone_db_sync.keystone_db_sync }} +{{- $mounts_keystone_db_sync_init := .Values.mounts.keystone_db_sync.init_container }} apiVersion: batch/v1 kind: Job metadata: @@ -24,7 +25,7 @@ spec: metadata: annotations: pod.beta.kubernetes.io/init-containers: '[ -{{ tuple $envAll $dependencies | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} +{{ tuple $envAll $dependencies $mounts_keystone_db_sync_init | include "helm-toolkit.kubernetes_entrypoint_init_container" | indent 10 }} ]' spec: restartPolicy: OnFailure @@ -47,6 +48,6 @@ spec: - bash - /tmp/db-sync.sh volumeMounts: -{{ toYaml $mounts.volumeMounts | indent 12 }} +{{ toYaml $mounts_keystone_db_sync.volumeMounts | indent 12 }} volumes: -{{ toYaml $mounts.volumes | indent 8 }} \ No newline at end of file +{{ toYaml $mounts_keystone_db_sync.volumes | indent 8 }} \ No newline at end of file diff --git a/keystone/values.yaml b/keystone/values.yaml index 09c68a9c44..53f0c82a2e 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -95,77 +95,83 @@ resources: cpu: "500m" mounts: - job_db_init: - volumes: - - name: keystone-bin - configMap: - name: keystone-bin - volumeMounts: - - name: keystone-bin - mountPath: /tmp/init.sh - subPath: init.sh - job_db_sync: - volumes: - - name: empty - emptyDir: {} - - name: keystone-etc - configMap: - name: keystone-etc - - name: keystone-bin - configMap: - name: keystone-bin - volumeMounts: - - name: empty - mountPath: /etc/keystone - - name: keystone-etc - mountPath: /etc/keystone/keystone.conf - subPath: keystone.conf - readOnly: true - - name: keystone-bin - mountPath: /tmp/db-sync.sh - subPath: db-sync.sh - readOnly: true - api: - volumes: - - name: empty - emptyDir: {} - - name: keystone-etc - configMap: - name: keystone-etc - - name: keystone-bin - configMap: - name: keystone-bin - volumeMounts: - - name: empty - mountPath: /etc/keystone - - name: keystone-etc - mountPath: /etc/keystone/keystone.conf - subPath: keystone.conf - readOnly: true - - name: keystone-etc - mountPath: /etc/keystone/keystone-paste.ini - subPath: keystone-paste.ini - readOnly: true - - name: keystone-etc - mountPath: /etc/keystone/policy.json - subPath: policy.json - readOnly: true - - name: keystone-etc - mountPath: /etc/keystone/sso_callback_template.html - subPath: sso_callback_template.html - readOnly: true - - name: keystone-etc - mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf - subPath: wsgi-keystone.conf - readOnly: true - - name: keystone-etc - mountPath: /etc/apache2/mods-available/mpm_event.conf - subPath: mpm_event.conf - readOnly: true - - name: keystone-bin - mountPath: /tmp/start.sh - subPath: start.sh - readOnly: true + keystone_db_init: + init_container: null + keystone_db_init: + volumes: + - name: keystone-bin + configMap: + name: keystone-bin + volumeMounts: + - name: keystone-bin + mountPath: /tmp/init.sh + subPath: init.sh + keystone_db_sync: + init_container: null + keystone_db_sync: + volumes: + - name: empty + emptyDir: {} + - name: keystone-etc + configMap: + name: keystone-etc + - name: keystone-bin + configMap: + name: keystone-bin + volumeMounts: + - name: empty + mountPath: /etc/keystone + - name: keystone-etc + mountPath: /etc/keystone/keystone.conf + subPath: keystone.conf + readOnly: true + - name: keystone-bin + mountPath: /tmp/db-sync.sh + subPath: db-sync.sh + readOnly: true + keystone_api: + init_container: null + keystone_api: + volumes: + - name: empty + emptyDir: {} + - name: keystone-etc + configMap: + name: keystone-etc + - name: keystone-bin + configMap: + name: keystone-bin + volumeMounts: + - name: empty + mountPath: /etc/keystone + - name: keystone-etc + mountPath: /etc/keystone/keystone.conf + subPath: keystone.conf + readOnly: true + - name: keystone-etc + mountPath: /etc/keystone/keystone-paste.ini + subPath: keystone-paste.ini + readOnly: true + - name: keystone-etc + mountPath: /etc/keystone/policy.json + subPath: policy.json + readOnly: true + - name: keystone-etc + mountPath: /etc/keystone/sso_callback_template.html + subPath: sso_callback_template.html + readOnly: true + - name: keystone-etc + mountPath: /etc/apache2/conf-enabled/wsgi-keystone.conf + subPath: wsgi-keystone.conf + readOnly: true + - name: keystone-etc + mountPath: /etc/apache2/mods-available/mpm_event.conf + subPath: mpm_event.conf + readOnly: true + - name: keystone-bin + mountPath: /tmp/start.sh + subPath: start.sh + readOnly: true conf: paste: