From fa2620d54b85964c3b5222365f124007f721c7e0 Mon Sep 17 00:00:00 2001 From: portdirect Date: Wed, 20 Dec 2017 12:21:42 -0500 Subject: [PATCH] RBAC for OSH This PS applys RBAC rules to OSH, based off the work done in https://review.openstack.org/#/c/526464/ Change-Id: I541b0ac1a3972566ef2b66571ae32744dab70c17 --- barbican/templates/deployment-api.yaml | 5 + barbican/templates/job-bootstrap.yaml | 5 + barbican/templates/job-db-drop.yaml | 10 +- barbican/templates/job-db-init.yaml | 6 +- barbican/templates/job-db-sync.yaml | 6 +- barbican/templates/job-ks-endpoints.yaml | 6 +- barbican/templates/job-ks-service.yaml | 6 +- barbican/templates/job-ks-user.yaml | 6 +- ceilometer/templates/deployment-api.yaml | 5 + ceilometer/templates/deployment-central.yaml | 5 + .../templates/deployment-collector.yaml | 5 + ceilometer/templates/deployment-compute.yaml | 5 + .../templates/deployment-notification.yaml | 5 + ceilometer/templates/job-db-init-mongodb.yaml | 6 +- ceilometer/templates/job-db-init.yaml | 6 +- ceilometer/templates/job-db-sync.yaml | 6 +- ceilometer/templates/job-ks-endpoints.yaml | 6 +- ceilometer/templates/job-ks-service.yaml | 6 +- ceilometer/templates/job-ks-user.yaml | 6 +- ceph/templates/daemonset-mon.yaml | 33 +++++- ceph/templates/daemonset-osd.yaml | 6 +- ceph/templates/deployment-mds.yaml | 7 +- ceph/templates/deployment-mgr.yaml | 7 +- ceph/templates/deployment-moncheck.yaml | 7 +- .../templates/deployment-rbd-provisioner.yaml | 103 +++++++++++++++++- ceph/templates/deployment-rgw.yaml | 7 +- ceph/templates/job-bootstrap.yaml | 6 +- ceph/templates/job-keyring.yaml | 34 ++++++ ceph/templates/job-ks-endpoints.yaml | 6 +- ceph/templates/job-ks-service.yaml | 6 +- ceph/templates/job-ks-user.yaml | 6 +- .../job-namespace-client-key-cleaner.yaml | 42 ++++++- ceph/templates/job-namespace-client-key.yaml | 64 +++++++++++ ceph/templates/job-rbd-pool.yaml | 7 +- ceph/templates/job-storage-admin-keys.yaml | 33 ++++++ ceph/values.yaml | 9 +- .../cron-job-cinder-volume-usage-audit.yaml | 10 +- cinder/templates/deployment-api.yaml | 5 + cinder/templates/deployment-backup.yaml | 5 + cinder/templates/deployment-scheduler.yaml | 5 + cinder/templates/deployment-volume.yaml | 5 + cinder/templates/job-bootstrap.yaml | 6 +- cinder/templates/job-db-drop.yaml | 10 +- cinder/templates/job-db-init.yaml | 6 +- cinder/templates/job-db-sync.yaml | 6 +- cinder/templates/job-ks-endpoints.yaml | 6 +- cinder/templates/job-ks-service.yaml | 6 +- cinder/templates/job-ks-user.yaml | 6 +- cinder/templates/pod-rally-test.yaml | 6 +- congress/templates/deployment-api.yaml | 6 +- congress/templates/deployment-datasource.yaml | 6 +- .../templates/deployment-policy-engine.yaml | 6 +- congress/templates/job-db-init.yaml | 6 +- congress/templates/job-db-sync.yaml | 6 +- congress/templates/job-ds-create.yaml | 6 +- congress/templates/job-ks-endpoints.yaml | 6 +- congress/templates/job-ks-service.yaml | 6 +- congress/templates/job-ks-user.yaml | 6 +- etcd/templates/deployment.yaml | 7 ++ etcd/values.yaml | 5 + glance/templates/deployment-api.yaml | 5 + glance/templates/deployment-registry.yaml | 5 + glance/templates/job-bootstrap.yaml | 6 +- glance/templates/job-clean.yaml | 44 +++++++- glance/templates/job-db-drop.yaml | 10 +- glance/templates/job-db-init.yaml | 6 +- glance/templates/job-db-sync.yaml | 6 +- glance/templates/job-ks-endpoints.yaml | 6 +- glance/templates/job-ks-service.yaml | 6 +- glance/templates/job-ks-user.yaml | 6 +- glance/templates/job-storage-init.yaml | 37 ++++++- glance/values.yaml | 2 + gnocchi/templates/daemonset-metricd.yaml | 5 + gnocchi/templates/daemonset-statsd.yaml | 5 + gnocchi/templates/deployment-api.yaml | 5 + gnocchi/templates/job-db-init-indexer.yaml | 6 +- gnocchi/templates/job-db-init-keystone.yaml | 6 +- gnocchi/templates/job-db-sync.yaml | 6 +- gnocchi/templates/job-ks-endpoints.yaml | 6 +- gnocchi/templates/job-ks-service.yaml | 6 +- gnocchi/templates/job-ks-user.yaml | 6 +- gnocchi/templates/job-storage-init.yaml | 37 ++++++- gnocchi/templates/pod-gnocchi-test.yaml | 2 +- heat/templates/deployment-api.yaml | 5 + heat/templates/deployment-cfn.yaml | 5 + heat/templates/deployment-cloudwatch.yaml | 5 + heat/templates/deployment-engine.yaml | 5 + heat/templates/job-bootstrap.yaml | 5 + heat/templates/job-db-drop.yaml | 10 +- heat/templates/job-db-init.yaml | 6 +- heat/templates/job-db-sync.yaml | 6 +- heat/templates/job-ks-endpoints.yaml | 6 +- heat/templates/job-ks-service.yaml | 6 +- heat/templates/job-ks-user.yaml | 6 +- heat/templates/job-trusts.yaml | 4 + .../_kubernetes_entrypoint_init_container.tpl | 3 +- .../snippets/_kubernetes_pod_rbac_roles.tpl | 68 ++++++++++++ .../_kubernetes_pod_rbac_serviceaccount.tpl | 50 +++++++++ horizon/templates/deployment.yaml | 5 + horizon/templates/job-db-drop.yaml | 11 +- horizon/templates/job-db-init.yaml | 5 + horizon/templates/job-db-sync.yaml | 5 + ingress/templates/deployment-error.yaml | 7 ++ ingress/templates/deployment-ingress.yaml | 72 ++++++++++++ ingress/templates/role.yaml | 62 +++++++++++ ingress/templates/rolebinding.yaml | 33 ++++++ ingress/values.yaml | 7 ++ .../templates/cron-job-credential-rotate.yaml | 34 ++++++ .../templates/cron-job-fernet-rotate.yaml | 34 ++++++ keystone/templates/deployment-api.yaml | 5 + keystone/templates/job-bootstrap.yaml | 5 + keystone/templates/job-credential-setup.yaml | 34 ++++++ keystone/templates/job-db-drop.yaml | 11 +- keystone/templates/job-db-init.yaml | 5 + keystone/templates/job-db-sync.yaml | 5 + keystone/templates/job-fernet-setup.yaml | 34 ++++++ ldap/templates/statefulset.yaml | 7 ++ ldap/values.yaml | 5 + libvirt/templates/daemonset-libvirt.yaml | 7 ++ libvirt/values.yaml | 4 + magnum/templates/deployment-api.yaml | 5 + magnum/templates/job-bootstrap.yaml | 5 + magnum/templates/job-db-drop.yaml | 10 +- magnum/templates/job-db-init.yaml | 6 +- magnum/templates/job-db-sync.yaml | 6 +- magnum/templates/job-ks-endpoints.yaml | 6 +- magnum/templates/job-ks-service.yaml | 6 +- magnum/templates/job-ks-user.yaml | 6 +- magnum/templates/statefulset-conductor.yaml | 5 + mariadb/templates/statefulset.yaml | 7 ++ mariadb/values.yaml | 5 + memcached/templates/deployment.yaml | 7 ++ memcached/values.yaml | 5 + mistral/templates/deployment-api.yaml | 4 + mistral/templates/deployment-executor.yaml | 4 + mistral/templates/job-bootstrap.yaml | 4 + mistral/templates/job-db-drop.yaml | 10 +- mistral/templates/job-db-init.yaml | 6 +- mistral/templates/job-db-sync.yaml | 6 +- mistral/templates/job-ks-endpoints.yaml | 6 +- mistral/templates/job-ks-service.yaml | 6 +- mistral/templates/job-ks-user.yaml | 6 +- mistral/templates/statefulset-engine.yaml | 5 + .../templates/statefulset-event-engine.yaml | 5 + mongodb/templates/statefulset.yaml | 7 ++ mongodb/values.yaml | 5 + neutron/templates/daemonset-dhcp-agent.yaml | 5 + neutron/templates/daemonset-l3-agent.yaml | 5 + neutron/templates/daemonset-lb-agent.yaml | 5 + .../templates/daemonset-metadata-agent.yaml | 5 + neutron/templates/daemonset-ovs-agent.yaml | 5 + neutron/templates/deployment-server.yaml | 5 + neutron/templates/job-bootstrap.yaml | 5 + neutron/templates/job-db-drop.yaml | 10 +- neutron/templates/job-db-init.yaml | 6 +- neutron/templates/job-db-sync.yaml | 6 +- neutron/templates/job-ks-endpoints.yaml | 6 +- neutron/templates/job-ks-service.yaml | 6 +- neutron/templates/job-ks-user.yaml | 6 +- nova/templates/daemonset-compute.yaml | 5 + nova/templates/deployment-api-metadata.yaml | 5 + nova/templates/deployment-api-osapi.yaml | 5 + nova/templates/deployment-conductor.yaml | 5 + nova/templates/deployment-consoleauth.yaml | 5 + nova/templates/deployment-novncproxy.yaml | 5 + nova/templates/deployment-placement.yaml | 5 + nova/templates/deployment-scheduler.yaml | 5 + nova/templates/job-bootstrap.yaml | 5 + nova/templates/job-cell-setup.yaml | 6 +- nova/templates/job-db-drop.yaml | 10 +- nova/templates/job-db-init.yaml | 6 +- nova/templates/job-db-sync.yaml | 6 +- nova/templates/job-ks-endpoints.yaml | 6 +- .../templates/job-ks-placement-endpoints.yaml | 6 +- nova/templates/job-ks-placement-service.yaml | 6 +- nova/templates/job-ks-placement-user.yaml | 6 +- nova/templates/job-ks-service.yaml | 6 +- nova/templates/job-ks-user.yaml | 6 +- openvswitch/templates/daemonset-ovs-db.yaml | 7 ++ .../templates/daemonset-ovs-vswitchd.yaml | 6 + openvswitch/values.yaml | 5 + postgresql/templates/statefulset.yaml | 7 ++ postgresql/values.yaml | 5 + rabbitmq/templates/deployment.yaml | 9 +- rabbitmq/values.yaml | 7 +- rally/templates/job-bootstrap.yaml | 5 + rally/templates/job-db-init.yaml | 6 +- rally/templates/job-ks-endpoints.yaml | 6 +- rally/templates/job-ks-service.yaml | 6 +- rally/templates/job-ks-user.yaml | 6 +- rally/templates/job-manage-db.yaml | 6 +- rally/templates/job-run-task.yaml | 6 +- senlin/templates/deployment-api.yaml | 5 + senlin/templates/job-bootstrap.yaml | 4 + senlin/templates/job-db-drop.yaml | 10 +- senlin/templates/job-db-init.yaml | 6 +- senlin/templates/job-db-sync.yaml | 6 +- senlin/templates/job-ks-endpoints.yaml | 6 +- senlin/templates/job-ks-service.yaml | 6 +- senlin/templates/job-ks-user.yaml | 6 +- senlin/templates/statefulset-engine.yaml | 5 + tools/deployment/developer/02-setup-client.sh | 3 - tools/deployment/developer/12-glance.sh | 2 +- 203 files changed, 1805 insertions(+), 136 deletions(-) create mode 100644 helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl create mode 100644 helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl create mode 100644 ingress/templates/role.yaml create mode 100644 ingress/templates/rolebinding.yaml diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml index bf9c88fe9e..8afd34a94e 100644 --- a/barbican/templates/deployment-api.yaml +++ b/barbican/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_barbican_api := .Values.pod.mounts.barbican_api.barbican_api }} {{- $mounts_barbican_api_init := .Values.pod.mounts.barbican_api.init_container }} + +{{- $serviceAccountName := "barbican-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "barbican" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/barbican/templates/job-bootstrap.yaml b/barbican/templates/job-bootstrap.yaml index 89cb43dc44..7bfef649b7 100644 --- a/barbican/templates/job-bootstrap.yaml +++ b/barbican/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_barbican_bootstrap := .Values.pod.mounts.barbican_bootstrap.barbican_bootstrap }} {{- $mounts_barbican_bootstrap_init := .Values.pod.mounts.barbican_bootstrap.init_container }} + +{{- $serviceAccountName := "barbican-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "barbican" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/barbican/templates/job-db-drop.yaml b/barbican/templates/job-db-drop.yaml index 6ab37dc6ec..92d4a43d08 100644 --- a/barbican/templates/job-db-drop.yaml +++ b/barbican/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "barbican-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: barbican-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "barbican-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "barbican" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: barbican-db-drop image: {{ .Values.images.tags.db_drop }} diff --git a/barbican/templates/job-db-init.yaml b/barbican/templates/job-db-init.yaml index edb7fc38c4..9f47f53b62 100644 --- a/barbican/templates/job-db-init.yaml +++ b/barbican/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "barbican-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "barbican" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: barbican-db-init image: {{ .Values.images.tags.db_init }} diff --git a/barbican/templates/job-db-sync.yaml b/barbican/templates/job-db-sync.yaml index c233d8ca15..6ddf6e33e1 100644 --- a/barbican/templates/job-db-sync.yaml +++ b/barbican/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "barbican-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "barbican" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: barbican-db-sync image: {{ .Values.images.tags.barbican_db_sync }} diff --git a/barbican/templates/job-ks-endpoints.yaml b/barbican/templates/job-ks-endpoints.yaml index 5b86e57b7d..844042eb21 100644 --- a/barbican/templates/job-ks-endpoints.yaml +++ b/barbican/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "barbican-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "barbican" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "key-manager" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/barbican/templates/job-ks-service.yaml b/barbican/templates/job-ks-service.yaml index f749a987de..f699a576b1 100644 --- a/barbican/templates/job-ks-service.yaml +++ b/barbican/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "barbican-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "barbican" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "key-manager" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/barbican/templates/job-ks-user.yaml b/barbican/templates/job-ks-user.yaml index 9aaace265c..ff1634b4a1 100644 --- a/barbican/templates/job-ks-user.yaml +++ b/barbican/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "barbican-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "barbican" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: barbican-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/ceilometer/templates/deployment-api.yaml b/ceilometer/templates/deployment-api.yaml index acaf52f51b..c99912a4bd 100644 --- a/ceilometer/templates/deployment-api.yaml +++ b/ceilometer/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_ceilometer_api := .Values.pod.mounts.ceilometer_api.ceilometer_api }} {{- $mounts_ceilometer_api_init := .Values.pod.mounts.ceilometer_api.init_container }} + +{{- $serviceAccountName := "ceilometer-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceilometer" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/ceilometer/templates/deployment-central.yaml b/ceilometer/templates/deployment-central.yaml index dfcde25720..7c9a147f51 100644 --- a/ceilometer/templates/deployment-central.yaml +++ b/ceilometer/templates/deployment-central.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_central }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.central }} + {{- $mounts_ceilometer_central := .Values.pod.mounts.ceilometer_central.ceilometer_central }} {{- $mounts_ceilometer_central_init := .Values.pod.mounts.ceilometer_central.init_container }} + +{{- $serviceAccountName := "ceilometer-central" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceilometer" "central" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/ceilometer/templates/deployment-collector.yaml b/ceilometer/templates/deployment-collector.yaml index 5a10b0a0db..d402eda714 100644 --- a/ceilometer/templates/deployment-collector.yaml +++ b/ceilometer/templates/deployment-collector.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_collector }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.collector }} + {{- $mounts_ceilometer_collector := .Values.pod.mounts.ceilometer_collector.ceilometer_collector }} {{- $mounts_ceilometer_collector_init := .Values.pod.mounts.ceilometer_collector.init_container }} + +{{- $serviceAccountName := "ceilometer-collector" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceilometer" "collector" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/ceilometer/templates/deployment-compute.yaml b/ceilometer/templates/deployment-compute.yaml index 26a7c76f3b..2c0bb8781f 100644 --- a/ceilometer/templates/deployment-compute.yaml +++ b/ceilometer/templates/deployment-compute.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_compute }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.compute }} + {{- $mounts_ceilometer_compute := .Values.pod.mounts.ceilometer_compute.ceilometer_compute }} {{- $mounts_ceilometer_compute_init := .Values.pod.mounts.ceilometer_compute.init_container }} + +{{- $serviceAccountName := "ceilometer-compute" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceilometer" "compute" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} hostNetwork: true diff --git a/ceilometer/templates/deployment-notification.yaml b/ceilometer/templates/deployment-notification.yaml index ff3bf41b39..84644d68b3 100644 --- a/ceilometer/templates/deployment-notification.yaml +++ b/ceilometer/templates/deployment-notification.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_notification }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.notification }} + {{- $mounts_ceilometer_notification := .Values.pod.mounts.ceilometer_notification.ceilometer_notification }} {{- $mounts_ceilometer_notification_init := .Values.pod.mounts.ceilometer_notification.init_container }} + +{{- $serviceAccountName := "ceilometer-notification" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceilometer" "notification" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/ceilometer/templates/job-db-init-mongodb.yaml b/ceilometer/templates/job-db-init-mongodb.yaml index 6ee05c919b..baafef1786 100644 --- a/ceilometer/templates/job-db-init-mongodb.yaml +++ b/ceilometer/templates/job-db-init-mongodb.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init_mongodb }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init_mongodb }} + +{{- $serviceAccountName := "ceilometer-db-init-mongodb" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -25,11 +28,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceilometer-db-init-mongodb image: {{ .Values.images.tags.db_init_mongodb | quote }} diff --git a/ceilometer/templates/job-db-init.yaml b/ceilometer/templates/job-db-init.yaml index 7f5ce905b6..5d20127d94 100644 --- a/ceilometer/templates/job-db-init.yaml +++ b/ceilometer/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "ceilometer-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -25,11 +28,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceilometer-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/ceilometer/templates/job-db-sync.yaml b/ceilometer/templates/job-db-sync.yaml index 11ffed95b1..094fd397be 100644 --- a/ceilometer/templates/job-db-sync.yaml +++ b/ceilometer/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "ceilometer-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -25,11 +28,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceilometer-db-sync image: {{ .Values.images.tags.ceilometer_db_sync }} diff --git a/ceilometer/templates/job-ks-endpoints.yaml b/ceilometer/templates/job-ks-endpoints.yaml index 3e002f8925..4c5f6a4e3d 100644 --- a/ceilometer/templates/job-ks-endpoints.yaml +++ b/ceilometer/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "ceilometer-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -25,11 +28,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "metering" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/ceilometer/templates/job-ks-service.yaml b/ceilometer/templates/job-ks-service.yaml index 39948845af..61d992c13c 100644 --- a/ceilometer/templates/job-ks-service.yaml +++ b/ceilometer/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "ceilometer-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -25,11 +28,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "metering" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/ceilometer/templates/job-ks-user.yaml b/ceilometer/templates/job-ks-user.yaml index ad82e8b881..23fd97e36c 100644 --- a/ceilometer/templates/job-ks-user.yaml +++ b/ceilometer/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "ceilometer-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -25,11 +28,12 @@ metadata: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceilometer-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/ceph/templates/daemonset-mon.yaml b/ceph/templates/daemonset-mon.yaml index d71389e26f..b0fc378f25 100644 --- a/ceph/templates/daemonset-mon.yaml +++ b/ceph/templates/daemonset-mon.yaml @@ -18,6 +18,35 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.ceph }} {{- $dependencies := .Values.dependencies.mon }} + +{{- $serviceAccountName := "ceph-mon"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- kind: DaemonSet apiVersion: extensions/v1beta1 @@ -29,13 +58,13 @@ spec: labels: {{ tuple $envAll "ceph" "mon" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.mon.node_selector_key }}: {{ .Values.labels.mon.node_selector_value }} hostNetwork: true dnsPolicy: {{ .Values.pod.dns_policy }} - serviceAccount: default initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs image: {{ .Values.images.tags.ceph_daemon }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/ceph/templates/daemonset-osd.yaml b/ceph/templates/daemonset-osd.yaml index f08f6c4614..86d9c72bfa 100644 --- a/ceph/templates/daemonset-osd.yaml +++ b/ceph/templates/daemonset-osd.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.ceph }} {{- $dependencies := .Values.dependencies.osd }} + +{{- $serviceAccountName := "ceph-osd"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: DaemonSet apiVersion: extensions/v1beta1 @@ -29,12 +32,13 @@ spec: labels: {{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.osd.node_selector_key }}: {{ .Values.labels.osd.node_selector_value }} hostNetwork: true dnsPolicy: {{ .Values.pod.dns_policy }} initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs image: {{ .Values.images.tags.ceph_daemon }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/ceph/templates/deployment-mds.yaml b/ceph/templates/deployment-mds.yaml index b522003881..23e0daebb1 100644 --- a/ceph/templates/deployment-mds.yaml +++ b/ceph/templates/deployment-mds.yaml @@ -19,6 +19,9 @@ limitations under the License. {{- if .Values.deployment.ceph }} {{- if .Values.ceph.enabled.mds }} {{- $dependencies := .Values.dependencies.mds }} + +{{- $serviceAccountName := "ceph-mds"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: Deployment apiVersion: apps/v1beta1 @@ -32,13 +35,13 @@ spec: labels: {{ tuple $envAll "ceph" "mds" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "mds" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.mds.node_selector_key }}: {{ .Values.labels.mds.node_selector_value }} - serviceAccount: default initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs image: {{ .Values.images.tags.ceph_daemon }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/ceph/templates/deployment-mgr.yaml b/ceph/templates/deployment-mgr.yaml index c44bf1fd8a..c5ec309371 100644 --- a/ceph/templates/deployment-mgr.yaml +++ b/ceph/templates/deployment-mgr.yaml @@ -19,6 +19,9 @@ limitations under the License. {{- if .Values.deployment.ceph }} {{- if .Values.ceph.enabled.mgr }} {{- $dependencies := .Values.dependencies.mgr }} + +{{- $serviceAccountName := "ceph-mgr"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: Deployment apiVersion: apps/v1beta1 @@ -31,15 +34,15 @@ spec: labels: {{ tuple $envAll "ceph" "mgr" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.mgr.node_selector_key }}: {{ .Values.labels.mgr.node_selector_value }} hostNetwork: true dnsPolicy: {{ .Values.pod.dns_policy }} - serviceAccount: default initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs image: {{ .Values.images.tags.ceph_daemon }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/ceph/templates/deployment-moncheck.yaml b/ceph/templates/deployment-moncheck.yaml index ca38c062e5..1d99ab3449 100644 --- a/ceph/templates/deployment-moncheck.yaml +++ b/ceph/templates/deployment-moncheck.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.ceph }} {{- $dependencies := .Values.dependencies.moncheck }} + +{{- $serviceAccountName := "ceph-mon-check"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: Deployment apiVersion: apps/v1beta1 @@ -30,13 +33,13 @@ spec: labels: {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "moncheck" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.mon.node_selector_key }}: {{ .Values.labels.mon.node_selector_value }} - serviceAccount: default initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs image: {{ .Values.images.tags.ceph_daemon }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/ceph/templates/deployment-rbd-provisioner.yaml b/ceph/templates/deployment-rbd-provisioner.yaml index 94c5f24581..b549e162bb 100644 --- a/ceph/templates/deployment-rbd-provisioner.yaml +++ b/ceph/templates/deployment-rbd-provisioner.yaml @@ -18,6 +18,106 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.rbd_provisioner }} {{- $dependencies := .Values.dependencies.rbd_provisioner }} + +{{- $serviceAccountName := "ceph-rbd-provisioner"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - rbd-provisioner + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: run-rbd-provisioner +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $serviceAccountName }} + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- kind: Deployment apiVersion: extensions/v1beta1 @@ -32,10 +132,11 @@ spec: labels: {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "rbd" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-rbd-provisioner image: {{ .Values.images.tags.ceph_rbd_provisioner }} diff --git a/ceph/templates/deployment-rgw.yaml b/ceph/templates/deployment-rgw.yaml index ef9c45ffb6..ab93d14deb 100644 --- a/ceph/templates/deployment-rgw.yaml +++ b/ceph/templates/deployment-rgw.yaml @@ -19,6 +19,9 @@ limitations under the License. {{- if .Values.deployment.ceph }} {{- if .Values.ceph.enabled.rgw }} {{- $dependencies := .Values.dependencies.rgw }} + +{{- $serviceAccountName := "ceph-rgw"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: Deployment apiVersion: apps/v1beta1 @@ -31,13 +34,13 @@ spec: labels: {{ tuple $envAll "ceph" "rgw" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ceph" "rgw" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.rgw.node_selector_key }}: {{ .Values.labels.rgw.node_selector_value }} - serviceAccount: default initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-init-dirs image: {{ .Values.images.tags.ceph_daemon }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/ceph/templates/job-bootstrap.yaml b/ceph/templates/job-bootstrap.yaml index 6db5ca6066..da08850fef 100644 --- a/ceph/templates/job-bootstrap.yaml +++ b/ceph/templates/job-bootstrap.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + +{{- $serviceAccountName := "ceph-bootstrap"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +32,12 @@ spec: labels: {{ tuple $envAll "ceph" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.jobs.node_selector_key }}: {{ .Values.labels.jobs.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-bootstrap image: {{ .Values.images.tags.ceph_bootstrap }} diff --git a/ceph/templates/job-keyring.yaml b/ceph/templates/job-keyring.yaml index 9c4552c1b2..698aafebdb 100644 --- a/ceph/templates/job-keyring.yaml +++ b/ceph/templates/job-keyring.yaml @@ -20,6 +20,37 @@ limitations under the License. {{- range $key1, $cephBootstrapKey := tuple "mds" "osd" "rgw" "mon" "mgr" }} {{- if not (and (not $envAll.Values.manifests.deployment_rgw) (eq $cephBootstrapKey "rgw")) }} {{- $jobName := print $cephBootstrapKey "-keyring-generator" }} + +{{- $dependencies := $envAll.Values.dependencies.job_keyring_generator }} + +{{- $serviceAccountName := print "ceph-" $jobName }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job @@ -31,9 +62,12 @@ spec: labels: {{ tuple $envAll "ceph" $jobName | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-{{ $jobName }} image: {{ $envAll.Values.images.tags.ceph_config_helper }} diff --git a/ceph/templates/job-ks-endpoints.yaml b/ceph/templates/job-ks-endpoints.yaml index caca315245..4544dcdb68 100644 --- a/ceph/templates/job-ks-endpoints.yaml +++ b/ceph/templates/job-ks-endpoints.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.rgw_keystone_user_and_endpoints }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "ceph-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +32,12 @@ spec: labels: {{ tuple $envAll "ceph" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "object-store" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/ceph/templates/job-ks-service.yaml b/ceph/templates/job-ks-service.yaml index c91cbba9e6..a7a0dc0cd1 100644 --- a/ceph/templates/job-ks-service.yaml +++ b/ceph/templates/job-ks-service.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.rgw_keystone_user_and_endpoints }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "ceph-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +32,12 @@ spec: labels: {{ tuple $envAll "ceph" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "object-store" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/ceph/templates/job-ks-user.yaml b/ceph/templates/job-ks-user.yaml index f08f20d46c..0c02d0980f 100644 --- a/ceph/templates/job-ks-user.yaml +++ b/ceph/templates/job-ks-user.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.deployment.rgw_keystone_user_and_endpoints }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "ceph-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +32,12 @@ spec: labels: {{ tuple $envAll "ceph" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/ceph/templates/job-namespace-client-key-cleaner.yaml b/ceph/templates/job-namespace-client-key-cleaner.yaml index 0005c00241..2ad5f7aa47 100644 --- a/ceph/templates/job-namespace-client-key-cleaner.yaml +++ b/ceph/templates/job-namespace-client-key-cleaner.yaml @@ -17,11 +17,48 @@ limitations under the License. {{- if .Values.manifests.job_namespace_client_key_cleaner }} {{- $envAll := . }} {{- if .Values.deployment.client_secrets }} +{{- $dependencies := .Values.dependencies.namespace_client_key_cleaner }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "ceph-namespace-client-key-cleaner-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job metadata: - name: ceph-namespace-client-key-cleaner-{{ randAlphaNum 5 | lower }} + name: ceph-namespace-client-key-cleaner-{{ $randStringSuffix }} annotations: "helm.sh/hook": pre-delete spec: @@ -30,9 +67,12 @@ spec: labels: {{ tuple $envAll "ceph" "client-key-cleaner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-namespace-client-keys-cleaner image: {{ .Values.images.tags.ceph_config_helper }} diff --git a/ceph/templates/job-namespace-client-key.yaml b/ceph/templates/job-namespace-client-key.yaml index f95e3273ac..eb3e7daa00 100644 --- a/ceph/templates/job-namespace-client-key.yaml +++ b/ceph/templates/job-namespace-client-key.yaml @@ -17,6 +17,67 @@ limitations under the License. {{- if .Values.manifests.job_namespace_client_key }} {{- $envAll := . }} {{- if .Values.deployment.client_secrets }} +{{- $dependencies := .Values.dependencies.namespace_client_key_generator }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := "ceph-namespace-client-key-generator" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }} + namespace: {{ .Values.storageclass.admin_secret_namespace }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }} + namespace: {{ .Values.storageclass.admin_secret_namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job @@ -28,9 +89,12 @@ spec: labels: {{ tuple $envAll "ceph" "client-key-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-storage-keys-generator image: {{ .Values.images.tags.ceph_config_helper }} diff --git a/ceph/templates/job-rbd-pool.yaml b/ceph/templates/job-rbd-pool.yaml index 44656567f0..ed1610cfa5 100644 --- a/ceph/templates/job-rbd-pool.yaml +++ b/ceph/templates/job-rbd-pool.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.deployment.ceph }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.rbd_pool }} + +{{- $serviceAccountName := "ceph-rbd-pool" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,12 +32,14 @@ spec: labels: {{ tuple $envAll "ceph" "rbd-pool" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure affinity: {{ tuple $envAll "ceph" "mgr" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.mgr.node_selector_key }}: {{ .Values.labels.mgr.node_selector_value }} - serviceAccount: default + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-rbd-pool image: {{ .Values.images.tags.ceph_daemon }} diff --git a/ceph/templates/job-storage-admin-keys.yaml b/ceph/templates/job-storage-admin-keys.yaml index cfeaa12635..bbff9eab0e 100644 --- a/ceph/templates/job-storage-admin-keys.yaml +++ b/ceph/templates/job-storage-admin-keys.yaml @@ -17,6 +17,36 @@ limitations under the License. {{- if .Values.manifests.job_storage_admin_keys }} {{- $envAll := . }} {{- if .Values.deployment.storage_secrets }} +{{- $dependencies := .Values.dependencies.storage_keys_generator }} + +{{- $serviceAccountName := "ceph-storage-keys-generator" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job @@ -28,9 +58,12 @@ spec: labels: {{ tuple $envAll "ceph" "storage-keys-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ $envAll.Values.labels.jobs.node_selector_key }}: {{ $envAll.Values.labels.jobs.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ceph-storage-keys-generator image: {{ .Values.images.tags.ceph_config_helper }} diff --git a/ceph/values.yaml b/ceph/values.yaml index d5489daadf..63c0c00124 100644 --- a/ceph/values.yaml +++ b/ceph/values.yaml @@ -202,9 +202,16 @@ conf: mds: dependencies: + job_keyring_generator: + jobs: + namespace_client_key_cleaner: + jobs: + namespace_client_key_generator: + jobs: + storage_keys_generator: + jobs: mon: jobs: - service: osd: jobs: services: diff --git a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml index 6cd0368ac2..5aab6e438c 100644 --- a/cinder/templates/cron-job-cinder-volume-usage-audit.yaml +++ b/cinder/templates/cron-job-cinder-volume-usage-audit.yaml @@ -18,8 +18,13 @@ limitations under the License. {{- if .Capabilities.APIVersions.Has "batch/v2alpha1" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.volume_usage_audit }} + {{- $mounts_cinder_volume_usage_audit := .Values.pod.mounts.cinder_volume_usage_audit.cinder_volume_usage_audit }} {{- $mounts_cinder_volume_usage_audit_init := .Values.pod.mounts.cinder_volume_usage_audit.init_container }} + +{{- $serviceAccountName := "cinder-volume-usage-audit" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: batch/v2alpha1 kind: CronJob metadata: @@ -34,11 +39,12 @@ spec: spec: template: spec: - initContainers: -{{ tuple $envAll $dependencies $mounts_cinder_volume_usage_audit_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies $mounts_cinder_volume_usage_audit_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} containers: - name: cinder-volume-usage-audit image: {{ .Values.images.tags.cinder_volume_usage_audit }} diff --git a/cinder/templates/deployment-api.yaml b/cinder/templates/deployment-api.yaml index 4edecf98b4..91b18749e3 100644 --- a/cinder/templates/deployment-api.yaml +++ b/cinder/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_cinder_api := .Values.pod.mounts.cinder_api.cinder_api }} {{- $mounts_cinder_api_init := .Values.pod.mounts.cinder_api.init_container }} + +{{- $serviceAccountName := "cinder-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "cinder" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/cinder/templates/deployment-backup.yaml b/cinder/templates/deployment-backup.yaml index 6bd12aa5b5..e9d7f34dcb 100644 --- a/cinder/templates/deployment-backup.yaml +++ b/cinder/templates/deployment-backup.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_backup }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.backup }} + {{- $mounts_cinder_backup := .Values.pod.mounts.cinder_backup.cinder_backup }} {{- $mounts_cinder_backup_init := .Values.pod.mounts.cinder_backup.init_container }} + +{{- $serviceAccountName := "cinder-backup" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "cinder" "backup" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/cinder/templates/deployment-scheduler.yaml b/cinder/templates/deployment-scheduler.yaml index 6cedf3026f..16df56c040 100644 --- a/cinder/templates/deployment-scheduler.yaml +++ b/cinder/templates/deployment-scheduler.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_scheduler }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.scheduler }} + {{- $mounts_cinder_scheduler := .Values.pod.mounts.cinder_scheduler.cinder_scheduler }} {{- $mounts_cinder_scheduler_init := .Values.pod.mounts.cinder_scheduler.init_container }} + +{{- $serviceAccountName := "cinder-scheduler" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "cinder" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/cinder/templates/deployment-volume.yaml b/cinder/templates/deployment-volume.yaml index abbaec41d1..c9af51debf 100644 --- a/cinder/templates/deployment-volume.yaml +++ b/cinder/templates/deployment-volume.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_volume }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.volume }} + {{- $mounts_cinder_volume := .Values.pod.mounts.cinder_volume.cinder_volume }} {{- $mounts_cinder_volume_init := .Values.pod.mounts.cinder_volume.init_container }} + +{{- $serviceAccountName := "cinder-volume" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/cinder/templates/job-bootstrap.yaml b/cinder/templates/job-bootstrap.yaml index bde25c77a0..a8742220ce 100644 --- a/cinder/templates/job-bootstrap.yaml +++ b/cinder/templates/job-bootstrap.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + +{{- $serviceAccountName := "cinder-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +32,12 @@ spec: labels: {{ tuple $envAll "cinder" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: cinder-bootstrap image: {{ .Values.images.tags.bootstrap }} diff --git a/cinder/templates/job-db-drop.yaml b/cinder/templates/job-db-drop.yaml index 5c9ff36e31..4ce58dab5d 100644 --- a/cinder/templates/job-db-drop.yaml +++ b/cinder/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "cinder-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: cinder-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "cinder-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "cinder" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: cinder-db-drop image: {{ .Values.images.tags.db_drop | quote }} diff --git a/cinder/templates/job-db-init.yaml b/cinder/templates/job-db-init.yaml index 28c2a808cc..8fab3c9aa9 100644 --- a/cinder/templates/job-db-init.yaml +++ b/cinder/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "cinder-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "cinder" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: cinder-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/cinder/templates/job-db-sync.yaml b/cinder/templates/job-db-sync.yaml index 624a76cb5f..74e55d24d2 100644 --- a/cinder/templates/job-db-sync.yaml +++ b/cinder/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "cinder-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "cinder" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: cinder-db-sync image: {{ .Values.images.tags.cinder_db_sync }} diff --git a/cinder/templates/job-ks-endpoints.yaml b/cinder/templates/job-ks-endpoints.yaml index 40521ed964..35dceb1142 100644 --- a/cinder/templates/job-ks-endpoints.yaml +++ b/cinder/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "cinder-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "cinder" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "volume" "volumev2" "volumev3" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/cinder/templates/job-ks-service.yaml b/cinder/templates/job-ks-service.yaml index 9439743992..fb5bcfe64d 100644 --- a/cinder/templates/job-ks-service.yaml +++ b/cinder/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "cinder-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "cinder" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "volume" "volumev2" "volumev3" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/cinder/templates/job-ks-user.yaml b/cinder/templates/job-ks-user.yaml index d336e4d8f1..1b68050a88 100644 --- a/cinder/templates/job-ks-user.yaml +++ b/cinder/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "cinder-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "cinder" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: cinder-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/cinder/templates/pod-rally-test.yaml b/cinder/templates/pod-rally-test.yaml index 266ed73b8a..dbd368fe8a 100644 --- a/cinder/templates/pod-rally-test.yaml +++ b/cinder/templates/pod-rally-test.yaml @@ -17,13 +17,17 @@ limitations under the License. {{- if .Values.manifests.pod_rally_test }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.tests }} + {{- $mounts_cinder_tests := .Values.pod.mounts.cinder_tests.cinder_tests }} {{- $mounts_cinder_tests_init := .Values.pod.mounts.cinder_tests.init_container }} + +{{- $serviceAccountName := print $envAll.Release.Name "-test" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: v1 kind: Pod metadata: - name: "{{.Release.Name}}-test" + name: {{ print $envAll.Release.Name "-test" }} annotations: "helm.sh/hook": test-success spec: diff --git a/congress/templates/deployment-api.yaml b/congress/templates/deployment-api.yaml index 0a09c55cb3..bd0c6e09c5 100644 --- a/congress/templates/deployment-api.yaml +++ b/congress/templates/deployment-api.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} +{{- $serviceAccountName := "congress-api-dep" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -30,10 +33,11 @@ spec: labels: {{ tuple $envAll "congress" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "congress" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} containers: diff --git a/congress/templates/deployment-datasource.yaml b/congress/templates/deployment-datasource.yaml index 6c3bf81562..a453795a41 100644 --- a/congress/templates/deployment-datasource.yaml +++ b/congress/templates/deployment-datasource.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.datasource }} +{{- $serviceAccountName := "congress-datasource-dep" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -30,10 +33,11 @@ spec: labels: {{ tuple $envAll "congress" "datasource" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "congress" "datasource" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} containers: diff --git a/congress/templates/deployment-policy-engine.yaml b/congress/templates/deployment-policy-engine.yaml index 91359d1da7..6a4542f5fe 100644 --- a/congress/templates/deployment-policy-engine.yaml +++ b/congress/templates/deployment-policy-engine.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.policy_engine }} +{{- $serviceAccountName := "congress-policy-engine-dep" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -30,10 +33,11 @@ spec: labels: {{ tuple $envAll "congress" "policy_engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "congress" "policy_engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} containers: diff --git a/congress/templates/job-db-init.yaml b/congress/templates/job-db-init.yaml index e408fa1455..96428df296 100644 --- a/congress/templates/job-db-init.yaml +++ b/congress/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "congress-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "congress" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: congress-db-init image: {{ .Values.images.tags.db_init }} diff --git a/congress/templates/job-db-sync.yaml b/congress/templates/job-db-sync.yaml index 40e4da19f4..05717eff58 100644 --- a/congress/templates/job-db-sync.yaml +++ b/congress/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "congress-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "congress" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: congress-db-sync image: {{ .Values.images.tags.congress_db_sync }} diff --git a/congress/templates/job-ds-create.yaml b/congress/templates/job-ds-create.yaml index 988bb6c2fc..3adfec3b91 100644 --- a/congress/templates/job-ds-create.yaml +++ b/congress/templates/job-ds-create.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ds_create }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ds_create }} + +{{- $serviceAccountName := "congress-ds-create" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "congress" "ds-create" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: congress-ds-create image: {{ .Values.images.tags.congress_ds_create }} diff --git a/congress/templates/job-ks-endpoints.yaml b/congress/templates/job-ks-endpoints.yaml index 9decb81629..2920dbd71a 100644 --- a/congress/templates/job-ks-endpoints.yaml +++ b/congress/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "congress-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "congress" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "policy" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/congress/templates/job-ks-service.yaml b/congress/templates/job-ks-service.yaml index 888cc9e462..22195f7be5 100644 --- a/congress/templates/job-ks-service.yaml +++ b/congress/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "congress-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "congress" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "policy" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/congress/templates/job-ks-user.yaml b/congress/templates/job-ks-user.yaml index 7238d58a3d..5f90bea827 100644 --- a/congress/templates/job-ks-user.yaml +++ b/congress/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "congress-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "congress" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: congress-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/etcd/templates/deployment.yaml b/etcd/templates/deployment.yaml index bf0dd8914d..cd2510afa1 100644 --- a/etcd/templates/deployment.yaml +++ b/etcd/templates/deployment.yaml @@ -13,6 +13,10 @@ # limitations under the License. {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.etcd }} + +{{- $serviceAccountName := "etcd" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -26,10 +30,13 @@ spec: labels: {{ tuple $envAll "etcd" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "etcd" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: etcd image: {{ .Values.images.tags.etcd }} diff --git a/etcd/values.yaml b/etcd/values.yaml index 691bc8b77a..b7b0da1eb6 100644 --- a/etcd/values.yaml +++ b/etcd/values.yaml @@ -20,6 +20,7 @@ images: tags: etcd: 'gcr.io/google_containers/etcd-amd64:2.2.5' + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: IfNotPresent labels: @@ -30,6 +31,10 @@ network: host: etcd port: 2379 +dependencies: + etcd: + jobs: null + pod: affinity: anti: diff --git a/glance/templates/deployment-api.yaml b/glance/templates/deployment-api.yaml index 66e72be4d0..01fc2277c7 100644 --- a/glance/templates/deployment-api.yaml +++ b/glance/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_glance_api := .Values.pod.mounts.glance_api.glance_api }} {{- $mounts_glance_api_init := .Values.pod.mounts.glance_api.init_container }} + +{{- $serviceAccountName := "glance-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "glance" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/glance/templates/deployment-registry.yaml b/glance/templates/deployment-registry.yaml index 082d6754b5..a38cbf427d 100644 --- a/glance/templates/deployment-registry.yaml +++ b/glance/templates/deployment-registry.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_registry }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.registry }} + {{- $mounts_glance_registry := .Values.pod.mounts.glance_registry.glance_registry }} {{- $mounts_glance_registry_init := .Values.pod.mounts.glance_registry.init_container }} + +{{- $serviceAccountName := "glance-registry" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "glance" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/glance/templates/job-bootstrap.yaml b/glance/templates/job-bootstrap.yaml index 9578503f53..1df8b0216f 100644 --- a/glance/templates/job-bootstrap.yaml +++ b/glance/templates/job-bootstrap.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_bootstrap }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.bootstrap }} + +{{- $serviceAccountName := "glance-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "glance" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: glance-bootstrap image: {{ .Values.images.tags.bootstrap }} diff --git a/glance/templates/job-clean.yaml b/glance/templates/job-clean.yaml index 9fc6568a91..962854bca8 100644 --- a/glance/templates/job-clean.yaml +++ b/glance/templates/job-clean.yaml @@ -17,20 +17,62 @@ limitations under the License. {{- if .Values.manifests.job_clean }} {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} +{{- $dependencies := .Values.dependencies.clean }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "glance-clean-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job metadata: - name: glance-clean-{{ randAlphaNum 5 | lower }} + name: {{ print "glance-clean-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded spec: template: metadata: labels: {{ tuple $envAll "glance" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- if eq .Values.storage "rbd" }} - name: glance-secret-clean diff --git a/glance/templates/job-db-drop.yaml b/glance/templates/job-db-drop.yaml index 8441be78d7..c305211639 100644 --- a/glance/templates/job-db-drop.yaml +++ b/glance/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "glance-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: glance-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "glance-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "glance" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: glance-db-drop image: {{ .Values.images.tags.db_drop }} diff --git a/glance/templates/job-db-init.yaml b/glance/templates/job-db-init.yaml index 22a85bfca8..2ad9b25623 100644 --- a/glance/templates/job-db-init.yaml +++ b/glance/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "glance-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "glance" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: glance-db-init image: {{ .Values.images.tags.db_init }} diff --git a/glance/templates/job-db-sync.yaml b/glance/templates/job-db-sync.yaml index 922ba566bc..63e1bb91a2 100644 --- a/glance/templates/job-db-sync.yaml +++ b/glance/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "glance-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "glance" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: glance-db-sync image: {{ .Values.images.tags.glance_db_sync }} diff --git a/glance/templates/job-ks-endpoints.yaml b/glance/templates/job-ks-endpoints.yaml index b28f79438f..e794c5db02 100644 --- a/glance/templates/job-ks-endpoints.yaml +++ b/glance/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "glance-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "glance" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "image" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/glance/templates/job-ks-service.yaml b/glance/templates/job-ks-service.yaml index f79f18d0ca..0e887a69ad 100644 --- a/glance/templates/job-ks-service.yaml +++ b/glance/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "glance-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "glance" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "image" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/glance/templates/job-ks-user.yaml b/glance/templates/job-ks-user.yaml index d30d231651..a227b01cd6 100644 --- a/glance/templates/job-ks-user.yaml +++ b/glance/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "glance-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "glance" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: glance-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/glance/templates/job-storage-init.yaml b/glance/templates/job-storage-init.yaml index b61fdbe605..27b61bdbed 100644 --- a/glance/templates/job-storage-init.yaml +++ b/glance/templates/job-storage-init.yaml @@ -17,6 +17,40 @@ limitations under the License. {{- if .Values.manifests.job_storage_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.storage_init }} + +{{- $serviceAccountName := "glance-storage-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +62,12 @@ spec: labels: {{ tuple $envAll "glance" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ if or (eq .Values.storage "rbd") (eq .Values.storage "radosgw") }} - name: ceph-keyring-placement image: {{ .Values.images.tags.glance_api }} diff --git a/glance/values.yaml b/glance/values.yaml index 4f930dc488..3a6921fca3 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -292,6 +292,8 @@ volume: size: 2Gi dependencies: + clean: + jobs: null storage_init: services: db_init: diff --git a/gnocchi/templates/daemonset-metricd.yaml b/gnocchi/templates/daemonset-metricd.yaml index c0bf5b7623..f85137ac99 100644 --- a/gnocchi/templates/daemonset-metricd.yaml +++ b/gnocchi/templates/daemonset-metricd.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_metricd }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.metricd }} + {{- $mounts_gnocchi_metricd := .Values.pod.mounts.gnocchi_metricd.gnocchi_metricd }} {{- $mounts_gnocchi_metricd_init := .Values.pod.mounts.gnocchi_metricd.init_container }} + +{{- $serviceAccountName := "gnocchi-metricd" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: diff --git a/gnocchi/templates/daemonset-statsd.yaml b/gnocchi/templates/daemonset-statsd.yaml index 5edf650db8..791b3e0363 100644 --- a/gnocchi/templates/daemonset-statsd.yaml +++ b/gnocchi/templates/daemonset-statsd.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_statsd }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.statsd }} + {{- $mounts_gnocchi_statsd := .Values.pod.mounts.gnocchi_statsd.gnocchi_statsd }} {{- $mounts_gnocchi_statsd_init := .Values.pod.mounts.gnocchi_statsd.init_container }} + +{{- $serviceAccountName := "gnocchi-statsd" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -33,6 +37,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: diff --git a/gnocchi/templates/deployment-api.yaml b/gnocchi/templates/deployment-api.yaml index 3ede6386de..1179091a8e 100644 --- a/gnocchi/templates/deployment-api.yaml +++ b/gnocchi/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_gnocchi_api := .Values.pod.mounts.gnocchi_api.gnocchi_api }} {{- $mounts_gnocchi_api_init := .Values.pod.mounts.gnocchi_api.init_container }} + +{{- $serviceAccountName := "gnocchi-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "gnocchi" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/gnocchi/templates/job-db-init-indexer.yaml b/gnocchi/templates/job-db-init-indexer.yaml index 98f26c1114..80e56984cb 100644 --- a/gnocchi/templates/job-db-init-indexer.yaml +++ b/gnocchi/templates/job-db-init-indexer.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init_indexer }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init_postgresql }} + +{{- $serviceAccountName := "gnocchi-db-init-indexer" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "gnocchi" "db-init-indexer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: gnocchi-db-init-indexer image: {{ .Values.images.tags.db_init_indexer | quote }} diff --git a/gnocchi/templates/job-db-init-keystone.yaml b/gnocchi/templates/job-db-init-keystone.yaml index 6b173876d4..cc041be362 100644 --- a/gnocchi/templates/job-db-init-keystone.yaml +++ b/gnocchi/templates/job-db-init-keystone.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init_keystone }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init_keystone }} + +{{- $serviceAccountName := "gnocchi-db-init-keystone" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "gnocchi" "db-init-keystone" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: keystone-db-init image: {{ .Values.images.tags.db_init_keystone | quote }} diff --git a/gnocchi/templates/job-db-sync.yaml b/gnocchi/templates/job-db-sync.yaml index 174e1e9b43..219ec6e6b5 100644 --- a/gnocchi/templates/job-db-sync.yaml +++ b/gnocchi/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "gnocchi-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "gnocchi" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement image: {{ .Values.images.tags.api }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/gnocchi/templates/job-ks-endpoints.yaml b/gnocchi/templates/job-ks-endpoints.yaml index 5ca8af2737..075a28491b 100644 --- a/gnocchi/templates/job-ks-endpoints.yaml +++ b/gnocchi/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "gnocchi-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -30,11 +33,12 @@ spec: metadata: annotations: spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "metric" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/gnocchi/templates/job-ks-service.yaml b/gnocchi/templates/job-ks-service.yaml index d5233cafb6..be4804c98f 100644 --- a/gnocchi/templates/job-ks-service.yaml +++ b/gnocchi/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "gnocchi-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "gnocchi" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "metric" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/gnocchi/templates/job-ks-user.yaml b/gnocchi/templates/job-ks-user.yaml index b7d88927cf..895796de4b 100644 --- a/gnocchi/templates/job-ks-user.yaml +++ b/gnocchi/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "gnocchi-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "gnocchi" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: gnocchi-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/gnocchi/templates/job-storage-init.yaml b/gnocchi/templates/job-storage-init.yaml index 765ea4d3fe..7dcabb151c 100644 --- a/gnocchi/templates/job-storage-init.yaml +++ b/gnocchi/templates/job-storage-init.yaml @@ -17,6 +17,40 @@ limitations under the License. {{- if .Values.manifests.job_storage_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.storage_init }} + +{{- $serviceAccountName := "gnocchi-storage-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} + annotations: + "helm.sh/hook": pre-delete +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +62,12 @@ spec: labels: {{ tuple $envAll "gnocchi" "storage-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement image: {{ .Values.images.tags.api }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/gnocchi/templates/pod-gnocchi-test.yaml b/gnocchi/templates/pod-gnocchi-test.yaml index adf6582706..5aea8eaba3 100644 --- a/gnocchi/templates/pod-gnocchi-test.yaml +++ b/gnocchi/templates/pod-gnocchi-test.yaml @@ -29,7 +29,7 @@ metadata: spec: restartPolicy: Never initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }} - name: ceph-keyring-placement image: {{ .Values.images.tags.api }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/heat/templates/deployment-api.yaml b/heat/templates/deployment-api.yaml index d3d395e725..bd85e718ea 100644 --- a/heat/templates/deployment-api.yaml +++ b/heat/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_heat_api := .Values.pod.mounts.heat_api.heat_api }} {{- $mounts_heat_api_init := .Values.pod.mounts.heat_api.init_container }} + +{{- $serviceAccountName := "heat-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "heat" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/heat/templates/deployment-cfn.yaml b/heat/templates/deployment-cfn.yaml index a296b4cbe0..4f358c70df 100644 --- a/heat/templates/deployment-cfn.yaml +++ b/heat/templates/deployment-cfn.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_cfn }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.cfn }} + {{- $mounts_heat_cfn := .Values.pod.mounts.heat_cfn.heat_cfn }} {{- $mounts_heat_cfn_init := .Values.pod.mounts.heat_cfn.init_container }} + +{{- $serviceAccountName := "heat-cfn" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "heat" "cfn" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/heat/templates/deployment-cloudwatch.yaml b/heat/templates/deployment-cloudwatch.yaml index b1dbbc45b7..4060a2bc1c 100644 --- a/heat/templates/deployment-cloudwatch.yaml +++ b/heat/templates/deployment-cloudwatch.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_cloudwatch }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.cloudwatch }} + {{- $mounts_heat_cloudwatch := .Values.pod.mounts.heat_cloudwatch.heat_cloudwatch }} {{- $mounts_heat_cloudwatch_init := .Values.pod.mounts.heat_cloudwatch.init_container }} + +{{- $serviceAccountName := "heat-cloudwatch" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "heat" "cloudwatch" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/heat/templates/deployment-engine.yaml b/heat/templates/deployment-engine.yaml index 9ac52dfd09..3768434fbb 100644 --- a/heat/templates/deployment-engine.yaml +++ b/heat/templates/deployment-engine.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if or ( .Values.manifests.deployment_engine ) ( .Values.manifests.statefulset_engine ) }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.engine }} + {{- $mounts_heat_engine := .Values.pod.mounts.heat_engine.heat_engine }} {{- $mounts_heat_engine_init := .Values.pod.mounts.heat_engine.init_container }} + +{{- $serviceAccountName := "heat-engine" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 metadata: @@ -43,6 +47,7 @@ spec: configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} {{- end }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{- tuple $envAll "heat" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/heat/templates/job-bootstrap.yaml b/heat/templates/job-bootstrap.yaml index c220f80807..7387209d0f 100644 --- a/heat/templates/job-bootstrap.yaml +++ b/heat/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_heat_bootstrap := .Values.pod.mounts.heat_bootstrap.heat_bootstrap }} {{- $mounts_heat_bootstrap_init := .Values.pod.mounts.heat_bootstrap.init_container }} + +{{- $serviceAccountName := "heat-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "heat" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/heat/templates/job-db-drop.yaml b/heat/templates/job-db-drop.yaml index f045a37e8f..31d5aaa0e1 100644 --- a/heat/templates/job-db-drop.yaml +++ b/heat/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "heat-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: heat-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "heat-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "heat" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: heat-db-drop image: {{ .Values.images.tags.db_drop | quote }} diff --git a/heat/templates/job-db-init.yaml b/heat/templates/job-db-init.yaml index 3399955715..1efbddaede 100644 --- a/heat/templates/job-db-init.yaml +++ b/heat/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "heat-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "heat" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: heat-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/heat/templates/job-db-sync.yaml b/heat/templates/job-db-sync.yaml index 4bb67884da..dfe0178fb9 100644 --- a/heat/templates/job-db-sync.yaml +++ b/heat/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "heat-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "heat" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: heat-db-sync image: {{ .Values.images.tags.heat_db_sync }} diff --git a/heat/templates/job-ks-endpoints.yaml b/heat/templates/job-ks-endpoints.yaml index 48d71d8eb2..5fe664917b 100644 --- a/heat/templates/job-ks-endpoints.yaml +++ b/heat/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "heat-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "heat" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "orchestration" "cloudformation" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/heat/templates/job-ks-service.yaml b/heat/templates/job-ks-service.yaml index aca5c93bca..033b22438a 100644 --- a/heat/templates/job-ks-service.yaml +++ b/heat/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "heat-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "heat" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "orchestration" "cloudformation" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/heat/templates/job-ks-user.yaml b/heat/templates/job-ks-user.yaml index 22568a66fc..21f262a92c 100644 --- a/heat/templates/job-ks-user.yaml +++ b/heat/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "heat-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "heat" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: heat-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/heat/templates/job-trusts.yaml b/heat/templates/job-trusts.yaml index 468e0e18be..89420ed0ba 100644 --- a/heat/templates/job-trusts.yaml +++ b/heat/templates/job-trusts.yaml @@ -16,9 +16,12 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.trusts }} + {{- $mounts_heat_trusts := .Values.pod.mounts.heat_trusts.heat_trusts }} {{- $mounts_heat_trusts_init := .Values.pod.mounts.heat_trusts.init_container }} +{{- $serviceAccountName := "heat-trusts" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -30,6 +33,7 @@ spec: labels: {{ tuple $envAll "heat" "trusts" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl index 80fd4df9d8..ed371eb318 100644 --- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl +++ b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl @@ -46,5 +46,6 @@ limitations under the License. value: "echo done" command: - kubernetes-entrypoint - volumeMounts: {{ $mounts | default "[]"}} + volumeMounts: +{{ toYaml $mounts | indent 4 }} {{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl new file mode 100644 index 0000000000..1284b36c96 --- /dev/null +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl @@ -0,0 +1,68 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 | replace "_" "-" }} +{{- $saNamespace := index . 3 -}} +{{- $releaseName := $envAll.Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $releaseName }}-{{ $saName }} + namespace: {{ $saNamespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} +subjects: + - kind: ServiceAccount + name: {{ $saName }} + namespace: {{ $saNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }} + namespace: {{ $saNamespace }} +rules: + - apiGroups: + - "" + - extensions + - batch + - apps + verbs: + - get + - list + resources: + {{- range $k, $v := $deps -}} + {{ if eq $v "daemonsets" }} + - daemonsets + {{- end -}} + {{ if eq $v "jobs" }} + - jobs + {{- end -}} + {{ if or (eq $v "daemonsets") (eq $v "jobs") }} + - pods + {{- end -}} + {{ if eq $v "services" }} + - services + - endpoints + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl new file mode 100644 index 0000000000..9ad9ccc2f0 --- /dev/null +++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}} +{{- $envAll := index . 0 -}} +{{- $deps := index . 1 -}} +{{- $saName := index . 2 -}} +{{- $saNamespace := $envAll.Release.Namespace }} +{{- $randomKey := randAlphaNum 32 }} +{{- $allNamespace := dict $randomKey "" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $saName }} + namespace: {{ $saNamespace }} +{{- range $k, $v := $deps -}} +{{- if eq $k "services" }} +{{- range $serv := $v }} +{{- $endpointMap := index $envAll.Values.endpoints $serv.service }} +{{- $endpointNS := $endpointMap.namespace | default $saNamespace }} +{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }} +{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }} +{{- end -}} +{{- end -}} +{{- else if eq $k "jobs" }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }} +{{- else if eq $k "daemonset" }} +{{- $_ := set $allNamespace $saNamespace (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }} +{{- end -}} +{{- end -}} +{{- $_ := unset $allNamespace $randomKey }} +{{- range $ns, $vv := $allNamespace }} +{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }} +{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }} +{{- end -}} +{{- end -}} diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml index 7339b9ce17..a33100f05f 100644 --- a/horizon/templates/deployment.yaml +++ b/horizon/templates/deployment.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.dashboard }} + {{- $mounts_horizon := .Values.pod.mounts.horizon.horizon }} {{- $mounts_horizon_init := .Values.pod.mounts.horizon.init_container }} + +{{- $serviceAccountName := "horizon" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "horizon" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/horizon/templates/job-db-drop.yaml b/horizon/templates/job-db-drop.yaml index a6926c075b..3a19f258bd 100644 --- a/horizon/templates/job-db-drop.yaml +++ b/horizon/templates/job-db-drop.yaml @@ -18,13 +18,19 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + {{- $mounts_horizon_db_init := .Values.pod.mounts.horizon_db_init.horizon_db_init }} {{- $mounts_horizon_db_init_init := .Values.pod.mounts.horizon_db_init.init_container }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "horizon-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: horizon-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "horizon-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -34,11 +40,12 @@ spec: labels: {{ tuple $envAll "horizon" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: horizon-db-drop image: {{ .Values.images.tags.db_drop }} diff --git a/horizon/templates/job-db-init.yaml b/horizon/templates/job-db-init.yaml index 613f3076a9..a557e6a579 100644 --- a/horizon/templates/job-db-init.yaml +++ b/horizon/templates/job-db-init.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + {{- $mounts_horizon_db_init := .Values.pod.mounts.horizon_db_init.horizon_db_init }} {{- $mounts_horizon_db_init_init := .Values.pod.mounts.horizon_db_init.init_container }} + +{{- $serviceAccountName := "horizon-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -30,6 +34,7 @@ spec: labels: {{ tuple $envAll "horizon" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/horizon/templates/job-db-sync.yaml b/horizon/templates/job-db-sync.yaml index c668325c5b..403cbcd06b 100644 --- a/horizon/templates/job-db-sync.yaml +++ b/horizon/templates/job-db-sync.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + {{- $mounts_horizon_db_sync := .Values.pod.mounts.horizon_db_sync.horizon_db_sync }} {{- $mounts_horizon_db_sync_init := .Values.pod.mounts.horizon_db_sync.init_container }} + +{{- $serviceAccountName := "horizon-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -30,6 +34,7 @@ spec: labels: {{ tuple $envAll "horizon" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/ingress/templates/deployment-error.yaml b/ingress/templates/deployment-error.yaml index 49c3d02863..67c2f2a147 100644 --- a/ingress/templates/deployment-error.yaml +++ b/ingress/templates/deployment-error.yaml @@ -15,6 +15,10 @@ limitations under the License. */}} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.error_pages }} + +{{- $serviceAccountName := "ingress-error-pages"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -28,11 +32,14 @@ spec: labels: {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ingress" "error-pages" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} terminationGracePeriodSeconds: 60 + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ingress-error-pages image: {{ .Values.images.tags.error_pages }} diff --git a/ingress/templates/deployment-ingress.yaml b/ingress/templates/deployment-ingress.yaml index 9fbf6efe6c..2ce8b59afd 100644 --- a/ingress/templates/deployment-ingress.yaml +++ b/ingress/templates/deployment-ingress.yaml @@ -15,6 +15,75 @@ limitations under the License. */}} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.ingress }} + +{{- $serviceAccountName := "ingress-api"}} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: nginx-ingress-clusterrole +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: nginx-ingress-clusterrole-nisa-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nginx-ingress-clusterrole +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} --- {{- if eq .Values.deployment_type "Deployment" }} apiVersion: apps/v1beta1 @@ -36,6 +105,7 @@ spec: {{ tuple $envAll "ingress" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} app: ingress-api spec: + serviceAccountName: {{ $serviceAccountName }} {{- if eq .Values.deployment_type "Deployment" }} affinity: {{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} @@ -47,6 +117,8 @@ spec: {{- end }} dnsPolicy: "ClusterFirstWithHostNet" terminationGracePeriodSeconds: 60 + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ingress-api image: {{ .Values.images.tags.ingress }} diff --git a/ingress/templates/role.yaml b/ingress/templates/role.yaml new file mode 100644 index 0000000000..a33690378b --- /dev/null +++ b/ingress/templates/role.yaml @@ -0,0 +1,62 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} + +{{- $serviceAccountName := "ingress-api" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: nginx-ingress-role + namespace: {{ $envAll.Release.Namespace }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - create + - update diff --git a/ingress/templates/rolebinding.yaml b/ingress/templates/rolebinding.yaml new file mode 100644 index 0000000000..5a561fd378 --- /dev/null +++ b/ingress/templates/rolebinding.yaml @@ -0,0 +1,33 @@ +{{/* +Copyright 2017 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $envAll := . }} + +{{- $serviceAccountName := "ingress-api" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + namespace: {{ $envAll.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress-role +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} diff --git a/ingress/values.yaml b/ingress/values.yaml index de31b32012..4d318c6f7d 100644 --- a/ingress/values.yaml +++ b/ingress/values.yaml @@ -23,6 +23,7 @@ images: # https://github.com/kubernetes/ingress/blob/master/controllers/nginx/Changelog.md ingress: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.8 error_pages: gcr.io/google_containers/defaultbackend:1.0 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: "IfNotPresent" pod: @@ -67,6 +68,12 @@ labels: network: host_namespace: true +dependencies: + error_pages: + jobs: null + ingress: + jobs: null + endpoints: ingress: host: openstack diff --git a/keystone/templates/cron-job-credential-rotate.yaml b/keystone/templates/cron-job-credential-rotate.yaml index 2dd00ba605..91aeb0892c 100644 --- a/keystone/templates/cron-job-credential-rotate.yaml +++ b/keystone/templates/cron-job-credential-rotate.yaml @@ -18,8 +18,41 @@ limitations under the License. {{- if .Capabilities.APIVersions.Has "batch/v2alpha1"}} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.credential_rotate }} + {{- $mounts_keystone_credential_rotate := .Values.pod.mounts.keystone_credential_rotate.keystone_credential_rotate }} {{- $mounts_keystone_credential_rotate_init := .Values.pod.mounts.keystone_credential_rotate.init_container }} + +{{- $serviceAccountName := "keystone-credential-rotate" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- apiVersion: batch/v2alpha1 kind: CronJob metadata: @@ -34,6 +67,7 @@ spec: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll $dependencies $mounts_keystone_credential_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} restartPolicy: OnFailure diff --git a/keystone/templates/cron-job-fernet-rotate.yaml b/keystone/templates/cron-job-fernet-rotate.yaml index faecb83ef6..55e2382e1e 100644 --- a/keystone/templates/cron-job-fernet-rotate.yaml +++ b/keystone/templates/cron-job-fernet-rotate.yaml @@ -18,8 +18,41 @@ limitations under the License. {{- if and (eq .Values.conf.keystone.token.provider "fernet") (.Capabilities.APIVersions.Has "batch/v2alpha1") }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.fernet_rotate }} + {{- $mounts_keystone_fernet_rotate := .Values.pod.mounts.keystone_fernet_rotate.keystone_fernet_rotate }} {{- $mounts_keystone_fernet_rotate_init := .Values.pod.mounts.keystone_fernet_rotate.init_container }} + +{{- $serviceAccountName := "keystone-fernet-rotate" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- apiVersion: batch/v2alpha1 kind: CronJob metadata: @@ -34,6 +67,7 @@ spec: spec: template: spec: + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll $dependencies $mounts_keystone_fernet_rotate_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 12 }} restartPolicy: OnFailure diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index 091eac74f2..312e0585c3 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_keystone_api := .Values.pod.mounts.keystone_api.keystone_api }} {{- $mounts_keystone_api_init := .Values.pod.mounts.keystone_api.init_container }} + +{{- $serviceAccountName := "keystone-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/keystone/templates/job-bootstrap.yaml b/keystone/templates/job-bootstrap.yaml index 14805bc8c9..c422143b43 100644 --- a/keystone/templates/job-bootstrap.yaml +++ b/keystone/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_keystone_bootstrap := .Values.pod.mounts.keystone_bootstrap.keystone_bootstrap }} {{- $mounts_keystone_bootstrap_init := .Values.pod.mounts.keystone_bootstrap.init_container }} + +{{- $serviceAccountName := "keystone-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "keystone" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/keystone/templates/job-credential-setup.yaml b/keystone/templates/job-credential-setup.yaml index de154ad813..42c376f55b 100644 --- a/keystone/templates/job-credential-setup.yaml +++ b/keystone/templates/job-credential-setup.yaml @@ -17,8 +17,41 @@ limitations under the License. {{- if .Values.manifests.job_credential_setup }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.credential_setup }} + {{- $mounts_keystone_credential_setup := .Values.pod.mounts.keystone_credential_setup.keystone_credential_setup }} {{- $mounts_keystone_credential_setup_init := .Values.pod.mounts.keystone_credential_setup.init_container }} + +{{- $serviceAccountName := "keystone-credential-setup" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -29,6 +62,7 @@ spec: labels: {{ tuple $envAll "keystone" "credential-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll $dependencies $mounts_keystone_credential_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} restartPolicy: OnFailure diff --git a/keystone/templates/job-db-drop.yaml b/keystone/templates/job-db-drop.yaml index 09d2d656ff..94a4839e1b 100644 --- a/keystone/templates/job-db-drop.yaml +++ b/keystone/templates/job-db-drop.yaml @@ -17,13 +17,19 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + {{- $mounts_keystone_db_init := .Values.pod.mounts.keystone_db_init.keystone_db_init }} {{- $mounts_keystone_db_init_init := .Values.pod.mounts.keystone_db_init.init_container }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "keystone-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: keystone-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "keystone-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -33,11 +39,12 @@ spec: labels: {{ tuple $envAll "keystone" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: keystone-db-drop image: {{ .Values.images.tags.db_drop }} diff --git a/keystone/templates/job-db-init.yaml b/keystone/templates/job-db-init.yaml index 04c2f327dc..ef00635549 100644 --- a/keystone/templates/job-db-init.yaml +++ b/keystone/templates/job-db-init.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + {{- $mounts_keystone_db_init := .Values.pod.mounts.keystone_db_init.keystone_db_init }} {{- $mounts_keystone_db_init_init := .Values.pod.mounts.keystone_db_init.init_container }} + +{{- $serviceAccountName := "keystone-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -30,6 +34,7 @@ spec: labels: {{ tuple $envAll "keystone" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/keystone/templates/job-db-sync.yaml b/keystone/templates/job-db-sync.yaml index c881ebca05..97cb5578e5 100644 --- a/keystone/templates/job-db-sync.yaml +++ b/keystone/templates/job-db-sync.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + {{- $mounts_keystone_db_sync := .Values.pod.mounts.keystone_db_sync.keystone_db_sync }} {{- $mounts_keystone_db_sync_init := .Values.pod.mounts.keystone_db_sync.init_container }} + +{{- $serviceAccountName := "keystone-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -30,6 +34,7 @@ spec: labels: {{ tuple $envAll "keystone" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/keystone/templates/job-fernet-setup.yaml b/keystone/templates/job-fernet-setup.yaml index 0cbaeaa87a..f2182c2c22 100644 --- a/keystone/templates/job-fernet-setup.yaml +++ b/keystone/templates/job-fernet-setup.yaml @@ -18,8 +18,41 @@ limitations under the License. {{- if eq .Values.conf.keystone.token.provider "fernet" }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.fernet_setup }} + {{- $mounts_keystone_fernet_setup := .Values.pod.mounts.keystone_fernet_setup.keystone_fernet_setup }} {{- $mounts_keystone_fernet_setup_init := .Values.pod.mounts.keystone_fernet_setup.init_container }} + +{{- $serviceAccountName := "keystone-fernet-setup" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - create + - update +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +--- apiVersion: batch/v1 kind: Job metadata: @@ -30,6 +63,7 @@ spec: labels: {{ tuple $envAll "keystone" "fernet-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} initContainers: {{ tuple $envAll $dependencies $mounts_keystone_fernet_setup_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} restartPolicy: OnFailure diff --git a/ldap/templates/statefulset.yaml b/ldap/templates/statefulset.yaml index 17cf9c52bc..46f25d0a5b 100644 --- a/ldap/templates/statefulset.yaml +++ b/ldap/templates/statefulset.yaml @@ -16,6 +16,10 @@ limitations under the License. {{- if .Values.manifests.statefulset }} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.ldap }} + +{{- $serviceAccountName := "ldap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -29,10 +33,13 @@ spec: labels: {{ tuple $envAll "ldap" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "ldap" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: ldap image: {{ .Values.images.tags.ldap }} diff --git a/ldap/values.yaml b/ldap/values.yaml index 480893ca43..be9393b359 100644 --- a/ldap/values.yaml +++ b/ldap/values.yaml @@ -37,8 +37,13 @@ pod: images: tags: ldap: "docker.io/osixia/openldap:1.1.9" + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: IfNotPresent +dependencies: + ldap: + jobs: null + storage: pvc: enabled: true diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml index dd3ad2ad7e..db02a3a5df 100644 --- a/libvirt/templates/daemonset-libvirt.yaml +++ b/libvirt/templates/daemonset-libvirt.yaml @@ -16,8 +16,13 @@ limitations under the License. {{- if .Values.manifests.daemonset_libvirt }} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.libvirt }} + {{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }} {{- $mounts_libvirt_init := .Values.pod.mounts.libvirt.init_container }} + +{{- $serviceAccountName := "libvirt" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -33,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.libvirt.node_selector_key }}: {{ .Values.labels.agent.libvirt.node_selector_value }} hostNetwork: true @@ -40,6 +46,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet {{- if .Values.ceph.enabled }} initContainers: +{{ tuple $envAll $dependencies $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: ceph-keyring-placement image: {{ .Values.images.tags.libvirt }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/libvirt/values.yaml b/libvirt/values.yaml index b3c5c0ac6a..51b78e159c 100644 --- a/libvirt/values.yaml +++ b/libvirt/values.yaml @@ -28,6 +28,7 @@ labels: images: tags: libvirt: docker.io/kolla/ubuntu-source-nova-libvirt:3.0.3 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: "IfNotPresent" ceph: @@ -74,6 +75,9 @@ pod: memory: "1024Mi" cpu: "2000m" +dependencies: + libvirt: null + manifests: configmap_bin: true configmap_etc: true diff --git a/magnum/templates/deployment-api.yaml b/magnum/templates/deployment-api.yaml index 2829b7a9ed..418f47e207 100644 --- a/magnum/templates/deployment-api.yaml +++ b/magnum/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_magnum_api := .Values.pod.mounts.magnum_api.magnum_api }} {{- $mounts_magnum_api_init := .Values.pod.mounts.magnum_api.init_container }} + +{{- $serviceAccountName := "magnum-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "magnum" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/magnum/templates/job-bootstrap.yaml b/magnum/templates/job-bootstrap.yaml index c1a099e863..ad1b15031c 100644 --- a/magnum/templates/job-bootstrap.yaml +++ b/magnum/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_magnum_bootstrap := .Values.pod.mounts.magnum_bootstrap.magnum_bootstrap }} {{- $mounts_magnum_bootstrap_init := .Values.pod.mounts.magnum_bootstrap.init_container }} + +{{- $serviceAccountName := "magnum-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "magnum" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/magnum/templates/job-db-drop.yaml b/magnum/templates/job-db-drop.yaml index 5be61d4c7c..a57ec70563 100644 --- a/magnum/templates/job-db-drop.yaml +++ b/magnum/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "magnum-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: magnum-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "magnum-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "magnum" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: magnum-db-drop image: {{ .Values.images.tags.db_drop | quote }} diff --git a/magnum/templates/job-db-init.yaml b/magnum/templates/job-db-init.yaml index dd6ddd8761..27df7911f5 100644 --- a/magnum/templates/job-db-init.yaml +++ b/magnum/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "magnum-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "magnum" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: magnum-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/magnum/templates/job-db-sync.yaml b/magnum/templates/job-db-sync.yaml index 97bca51b22..b02678de00 100644 --- a/magnum/templates/job-db-sync.yaml +++ b/magnum/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "magnum-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "magnum" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: magnum-db-sync image: {{ .Values.images.tags.magnum_db_sync }} diff --git a/magnum/templates/job-ks-endpoints.yaml b/magnum/templates/job-ks-endpoints.yaml index 2e9ef28e4a..733c298853 100644 --- a/magnum/templates/job-ks-endpoints.yaml +++ b/magnum/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "magnum-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "magnum" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "container-infra" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/magnum/templates/job-ks-service.yaml b/magnum/templates/job-ks-service.yaml index 2440bc99ba..17eeb45fd7 100644 --- a/magnum/templates/job-ks-service.yaml +++ b/magnum/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "magnum-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "magnum" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "container-infra" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/magnum/templates/job-ks-user.yaml b/magnum/templates/job-ks-user.yaml index 631d0e82a7..b298e8e1d2 100644 --- a/magnum/templates/job-ks-user.yaml +++ b/magnum/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "magnum-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "magnum" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: magnum-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/magnum/templates/statefulset-conductor.yaml b/magnum/templates/statefulset-conductor.yaml index 1e091fe2e8..ec748d2105 100644 --- a/magnum/templates/statefulset-conductor.yaml +++ b/magnum/templates/statefulset-conductor.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.statefulset_conductor }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.conductor }} + {{- $mounts_magnum_conductor := .Values.pod.mounts.magnum_conductor.magnum_conductor }} {{- $mounts_magnum_conductor_init := .Values.pod.mounts.magnum_conductor.init_container }} + +{{- $serviceAccountName := "magnum-conductor" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -32,6 +36,7 @@ spec: labels: {{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "magnum" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/mariadb/templates/statefulset.yaml b/mariadb/templates/statefulset.yaml index c68586975f..19a1959c56 100644 --- a/mariadb/templates/statefulset.yaml +++ b/mariadb/templates/statefulset.yaml @@ -15,6 +15,10 @@ limitations under the License. */}} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.mariadb }} + +{{- $serviceAccountName := "mariadb" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -28,10 +32,13 @@ spec: labels: {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "mariadb" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: mariadb image: {{ .Values.images.tags.mariadb }} diff --git a/mariadb/values.yaml b/mariadb/values.yaml index f5aaf9c818..fdedd1306e 100644 --- a/mariadb/values.yaml +++ b/mariadb/values.yaml @@ -40,8 +40,13 @@ pod: images: tags: mariadb: docker.io/mariadb:10.1.23 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: IfNotPresent +dependencies: + mariadb: + jobs: null + volume: enabled: true class_name: general diff --git a/memcached/templates/deployment.yaml b/memcached/templates/deployment.yaml index 7b94f67370..ba9f3fc7e6 100644 --- a/memcached/templates/deployment.yaml +++ b/memcached/templates/deployment.yaml @@ -15,6 +15,10 @@ limitations under the License. */}} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.memcached }} + +{{- $serviceAccountName := "memcached" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -28,10 +32,13 @@ spec: labels: {{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "memcached" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 9 }} containers: - name: memcached image: {{ .Values.images.tags.memcached }} diff --git a/memcached/values.yaml b/memcached/values.yaml index eb50515c6e..e06b9d8b08 100644 --- a/memcached/values.yaml +++ b/memcached/values.yaml @@ -20,6 +20,7 @@ images: tags: memcached: docker.io/memcached:1.4 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: "IfNotPresent" pod: @@ -59,3 +60,7 @@ network: memcached: memory: 1024 max_connections: 8192 + +dependencies: + memcached: + jobs: null diff --git a/mistral/templates/deployment-api.yaml b/mistral/templates/deployment-api.yaml index 08b0f095b1..bf6c222866 100644 --- a/mistral/templates/deployment-api.yaml +++ b/mistral/templates/deployment-api.yaml @@ -19,6 +19,9 @@ limitations under the License. {{- $dependencies := .Values.dependencies.api }} {{- $mounts_mistral_api := .Values.pod.mounts.mistral_api.mistral_api }} {{- $mounts_mistral_api_init := .Values.pod.mounts.mistral_api.init_container }} + +{{- $serviceAccountName := "mistral-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "mistral" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/mistral/templates/deployment-executor.yaml b/mistral/templates/deployment-executor.yaml index 63f65948db..3340728350 100644 --- a/mistral/templates/deployment-executor.yaml +++ b/mistral/templates/deployment-executor.yaml @@ -19,6 +19,9 @@ limitations under the License. {{- $dependencies := .Values.dependencies.executor }} {{- $mounts_mistral_executor := .Values.pod.mounts.mistral_executor.mistral_executor }} {{- $mounts_mistral_executor_init := .Values.pod.mounts.mistral_executor.init_container }} + +{{- $serviceAccountName := "mistral-executor" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "mistral" "executor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/mistral/templates/job-bootstrap.yaml b/mistral/templates/job-bootstrap.yaml index 43966c2f41..e1814a8ba9 100644 --- a/mistral/templates/job-bootstrap.yaml +++ b/mistral/templates/job-bootstrap.yaml @@ -20,6 +20,9 @@ limitations under the License. {{- $dependencies := .Values.dependencies.bootstrap }} {{- $mounts_mistral_bootstrap := .Values.pod.mounts.mistral_bootstrap.mistral_bootstrap }} {{- $mounts_mistral_bootstrap_init := .Values.pod.mounts.mistral_bootstrap.init_container }} + +{{- $serviceAccountName := "mistral-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +34,7 @@ spec: labels: {{ tuple $envAll "mistral" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/mistral/templates/job-db-drop.yaml b/mistral/templates/job-db-drop.yaml index 5374824f08..990a0c4a10 100644 --- a/mistral/templates/job-db-drop.yaml +++ b/mistral/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "mistral-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: mistral-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "mistral-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "mistral" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: mistral-db-drop image: {{ .Values.images.tags.db_drop | quote }} diff --git a/mistral/templates/job-db-init.yaml b/mistral/templates/job-db-init.yaml index bcc0555067..209c41b233 100644 --- a/mistral/templates/job-db-init.yaml +++ b/mistral/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "mistral-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "mistral" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: mistral-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/mistral/templates/job-db-sync.yaml b/mistral/templates/job-db-sync.yaml index d3846f3c12..08ed82bff1 100644 --- a/mistral/templates/job-db-sync.yaml +++ b/mistral/templates/job-db-sync.yaml @@ -18,6 +18,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "mistral-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +32,12 @@ spec: labels: {{ tuple $envAll "mistral" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: mistral-db-sync image: {{ .Values.images.tags.mistral_db_sync }} diff --git a/mistral/templates/job-ks-endpoints.yaml b/mistral/templates/job-ks-endpoints.yaml index 946df53aee..e96275ae00 100644 --- a/mistral/templates/job-ks-endpoints.yaml +++ b/mistral/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "mistral-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "mistral" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "workflow" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/mistral/templates/job-ks-service.yaml b/mistral/templates/job-ks-service.yaml index f4cda9966c..c4e792b22a 100644 --- a/mistral/templates/job-ks-service.yaml +++ b/mistral/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "mistral-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "mistral" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "workflow" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/mistral/templates/job-ks-user.yaml b/mistral/templates/job-ks-user.yaml index fdb6d9c330..a14ae702c6 100644 --- a/mistral/templates/job-ks-user.yaml +++ b/mistral/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "mistral-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "mistral" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: mistral-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/mistral/templates/statefulset-engine.yaml b/mistral/templates/statefulset-engine.yaml index 44fcca4f8a..7907dc1e79 100644 --- a/mistral/templates/statefulset-engine.yaml +++ b/mistral/templates/statefulset-engine.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.statefulset_engine }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.engine }} + {{- $mounts_mistral_engine := .Values.pod.mounts.mistral_engine.mistral_engine }} {{- $mounts_mistral_engine_init := .Values.pod.mounts.mistral_engine.init_container }} + +{{- $serviceAccountName := "mistral-engine" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -32,6 +36,7 @@ spec: labels: app: mistral-engine spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "mistral" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/mistral/templates/statefulset-event-engine.yaml b/mistral/templates/statefulset-event-engine.yaml index afab9a646c..7934502f57 100644 --- a/mistral/templates/statefulset-event-engine.yaml +++ b/mistral/templates/statefulset-event-engine.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.statefulset_event_engine }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.event_engine }} + {{- $mounts_mistral_event_engine := .Values.pod.mounts.mistral_event_engine.mistral_event_engine }} {{- $mounts_mistral_event_engine_init := .Values.pod.mounts.mistral_event_engine.init_container }} + +{{- $serviceAccountName := "mistral-event-engine" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -32,6 +36,7 @@ spec: labels: {{ tuple $envAll "mistral" "event-engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "mistral" "event-engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/mongodb/templates/statefulset.yaml b/mongodb/templates/statefulset.yaml index cdc920d170..0759202578 100644 --- a/mongodb/templates/statefulset.yaml +++ b/mongodb/templates/statefulset.yaml @@ -16,6 +16,10 @@ limitations under the License. {{- if .Values.manifests.statefulset }} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.mongodb }} + +{{- $serviceAccountName := "mongodb" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -29,10 +33,13 @@ spec: labels: {{ tuple $envAll "mongodb" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "mongodb" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: mongodb image: {{ .Values.images.tags.mongodb }} diff --git a/mongodb/values.yaml b/mongodb/values.yaml index c0fb6bad85..21e6615670 100644 --- a/mongodb/values.yaml +++ b/mongodb/values.yaml @@ -40,6 +40,7 @@ pod: images: tags: mongodb: docker.io/mongo:3.4.9-jessie + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: IfNotPresent storage: @@ -72,6 +73,10 @@ endpoints: mongodb: default: 27017 +dependencies: + mongodb: + jobs: null + manifests: configmap_bin: true secret_db_root_creds: true diff --git a/neutron/templates/daemonset-dhcp-agent.yaml b/neutron/templates/daemonset-dhcp-agent.yaml index a5f3524660..2d788bf563 100644 --- a/neutron/templates/daemonset-dhcp-agent.yaml +++ b/neutron/templates/daemonset-dhcp-agent.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_dhcp_agent }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.dhcp }} + {{- $mounts_neutron_dhcp_agent := .Values.pod.mounts.neutron_dhcp_agent.neutron_dhcp_agent }} {{- $mounts_neutron_dhcp_agent_init := .Values.pod.mounts.neutron_dhcp_agent.init_container }} + +{{- $serviceAccountName := "neutron-dhcp-agent" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.dhcp.node_selector_key }}: {{ .Values.labels.agent.dhcp.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet diff --git a/neutron/templates/daemonset-l3-agent.yaml b/neutron/templates/daemonset-l3-agent.yaml index 528546f6d9..9d7410c74c 100644 --- a/neutron/templates/daemonset-l3-agent.yaml +++ b/neutron/templates/daemonset-l3-agent.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_l3_agent }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.l3 }} + {{- $mounts_neutron_l3_agent := .Values.pod.mounts.neutron_l3_agent.neutron_l3_agent }} {{- $mounts_neutron_l3_agent_init := .Values.pod.mounts.neutron_l3_agent.init_container }} + +{{- $serviceAccountName := "neutron-l3-agent" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.l3.node_selector_key }}: {{ .Values.labels.agent.l3.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet diff --git a/neutron/templates/daemonset-lb-agent.yaml b/neutron/templates/daemonset-lb-agent.yaml index b12bf4f693..74a8132773 100644 --- a/neutron/templates/daemonset-lb-agent.yaml +++ b/neutron/templates/daemonset-lb-agent.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_lb_agent }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.lb_agent }} + {{- $mounts_neutron_lb_agent := .Values.pod.mounts.neutron_lb_agent.neutron_lb_agent }} {{- $mounts_neutron_lb_agent_init := .Values.pod.mounts.neutron_lb_agent.init_container }} + +{{- $serviceAccountName := "neutron-lb-agent" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.lb.node_selector_key }}: {{ .Values.labels.lb.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet diff --git a/neutron/templates/daemonset-metadata-agent.yaml b/neutron/templates/daemonset-metadata-agent.yaml index 3af7c04053..a7a1d16c50 100644 --- a/neutron/templates/daemonset-metadata-agent.yaml +++ b/neutron/templates/daemonset-metadata-agent.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_metadata_agent }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.metadata }} + {{- $mounts_neutron_metadata_agent := .Values.pod.mounts.neutron_metadata_agent.neutron_metadata_agent }} {{- $mounts_neutron_metadata_agent_init := .Values.pod.mounts.neutron_metadata_agent.init_container }} + +{{- $serviceAccountName := "neutron-metadata-agent" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.metadata.node_selector_key }}: {{ .Values.labels.agent.metadata.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet diff --git a/neutron/templates/daemonset-ovs-agent.yaml b/neutron/templates/daemonset-ovs-agent.yaml index 3312b5bb13..cbb5b84307 100644 --- a/neutron/templates/daemonset-ovs-agent.yaml +++ b/neutron/templates/daemonset-ovs-agent.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_ovs_agent }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ovs_agent }} + {{- $mounts_neutron_ovs_agent := .Values.pod.mounts.neutron_ovs_agent.neutron_ovs_agent }} {{- $mounts_neutron_ovs_agent_init := .Values.pod.mounts.neutron_ovs_agent.init_container }} + +{{- $serviceAccountName := "neutron-ovs-agent" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet diff --git a/neutron/templates/deployment-server.yaml b/neutron/templates/deployment-server.yaml index d280bc4a35..7dab930e1c 100644 --- a/neutron/templates/deployment-server.yaml +++ b/neutron/templates/deployment-server.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_server }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.server }} + {{- $mounts_neutron_server := .Values.pod.mounts.neutron_server.neutron_server }} {{- $mounts_neutron_server_init := .Values.pod.mounts.neutron_server.init_container }} + +{{- $serviceAccountName := "neutron-server" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "neutron" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/neutron/templates/job-bootstrap.yaml b/neutron/templates/job-bootstrap.yaml index cf7012b35d..034cd2a65f 100644 --- a/neutron/templates/job-bootstrap.yaml +++ b/neutron/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_neutron_bootstrap := .Values.pod.mounts.neutron_bootstrap.neutron_bootstrap }} {{- $mounts_neutron_bootstrap_init := .Values.pod.mounts.neutron_bootstrap.init_container }} + +{{- $serviceAccountName := "neutron-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "neutron" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} diff --git a/neutron/templates/job-db-drop.yaml b/neutron/templates/job-db-drop.yaml index e84aa8dc22..e43b8c6842 100644 --- a/neutron/templates/job-db-drop.yaml +++ b/neutron/templates/job-db-drop.yaml @@ -18,11 +18,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "neutron-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: neutron-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "neutron-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -32,11 +37,12 @@ spec: labels: {{ tuple $envAll "neutron" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: neutron-db-drop image: {{ .Values.images.tags.db_drop }} diff --git a/neutron/templates/job-db-init.yaml b/neutron/templates/job-db-init.yaml index 3e6af438ba..f802edac02 100644 --- a/neutron/templates/job-db-init.yaml +++ b/neutron/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "neutron-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "neutron" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: neutron-db-init image: {{ .Values.images.tags.db_init }} diff --git a/neutron/templates/job-db-sync.yaml b/neutron/templates/job-db-sync.yaml index f49f97bb67..675cba9d39 100644 --- a/neutron/templates/job-db-sync.yaml +++ b/neutron/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "neutron-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "neutron" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: neutron-db-sync image: {{ .Values.images.tags.neutron_db_sync }} diff --git a/neutron/templates/job-ks-endpoints.yaml b/neutron/templates/job-ks-endpoints.yaml index 537a17340c..9eaee7fea7 100644 --- a/neutron/templates/job-ks-endpoints.yaml +++ b/neutron/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "neutron-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "neutron" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "network" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/neutron/templates/job-ks-service.yaml b/neutron/templates/job-ks-service.yaml index 296c5f1a6e..e9897cdd02 100644 --- a/neutron/templates/job-ks-service.yaml +++ b/neutron/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "neutron-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "neutron" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "network" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/neutron/templates/job-ks-user.yaml b/neutron/templates/job-ks-user.yaml index eaf6937997..1d2a508b61 100644 --- a/neutron/templates/job-ks-user.yaml +++ b/neutron/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "neutron-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "neutron" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: neutron-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/nova/templates/daemonset-compute.yaml b/nova/templates/daemonset-compute.yaml index eebb378d27..47ec797be1 100644 --- a/nova/templates/daemonset-compute.yaml +++ b/nova/templates/daemonset-compute.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.daemonset_compute }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.compute }} + {{- $mounts_nova_compute := .Values.pod.mounts.nova_compute.nova_compute }} {{- $mounts_nova_compute_init := .Values.pod.mounts.nova_compute.init_container }} + +{{- $serviceAccountName := "nova-compute" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -34,6 +38,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.agent.compute.node_selector_key }}: {{ .Values.labels.agent.compute.node_selector_value }} hostNetwork: true diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml index ac2a6971ac..ad1a792cd0 100644 --- a/nova/templates/deployment-api-metadata.yaml +++ b/nova/templates/deployment-api-metadata.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api_metadata }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_nova_api_metadata := .Values.pod.mounts.nova_api_metadata.nova_api_metadata }} {{- $mounts_nova_api_metadata_init := .Values.pod.mounts.nova_api_metadata.init_container }} + +{{- $serviceAccountName := "nova-api-metadata" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "metadata" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/deployment-api-osapi.yaml b/nova/templates/deployment-api-osapi.yaml index a1414b0671..e667a60ea2 100644 --- a/nova/templates/deployment-api-osapi.yaml +++ b/nova/templates/deployment-api-osapi.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api_osapi }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_nova_api_osapi := .Values.pod.mounts.nova_api_osapi.nova_api_osapi }} {{- $mounts_nova_api_osapi_init := .Values.pod.mounts.nova_api_osapi.init_container }} + +{{- $serviceAccountName := "nova-api-osapi" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "os-api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/deployment-conductor.yaml b/nova/templates/deployment-conductor.yaml index 735db7e2eb..d1dec94d5a 100644 --- a/nova/templates/deployment-conductor.yaml +++ b/nova/templates/deployment-conductor.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_conductor }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.conductor }} + {{- $mounts_nova_conductor := .Values.pod.mounts.nova_conductor.nova_conductor }} {{- $mounts_nova_conductor_init := .Values.pod.mounts.nova_conductor.init_container }} + +{{- $serviceAccountName := "nova-conductor" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "conductor" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/deployment-consoleauth.yaml b/nova/templates/deployment-consoleauth.yaml index 46bdd4ee44..ed85d44452 100644 --- a/nova/templates/deployment-consoleauth.yaml +++ b/nova/templates/deployment-consoleauth.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_consoleauth }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.consoleauth }} + {{- $mounts_nova_consoleauth := .Values.pod.mounts.nova_consoleauth.nova_conductor }} {{- $mounts_nova_consoleauth_init := .Values.pod.mounts.nova_consoleauth.init_container }} + +{{- $serviceAccountName := "nova-consoleauth" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "consoleauth" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/deployment-novncproxy.yaml b/nova/templates/deployment-novncproxy.yaml index c27a650881..c50f1aadac 100644 --- a/nova/templates/deployment-novncproxy.yaml +++ b/nova/templates/deployment-novncproxy.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{ if eq .Values.console.console_kind "novnc" }} {{- $dependencies := .Values.dependencies.novncproxy }} + {{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }} {{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }} + +{{- $serviceAccountName := "nova-novncproxy" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -36,6 +40,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "novnc-proxy" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/deployment-placement.yaml b/nova/templates/deployment-placement.yaml index a03db3956e..a1218bebe5 100644 --- a/nova/templates/deployment-placement.yaml +++ b/nova/templates/deployment-placement.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_placement }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_nova_placement := .Values.pod.mounts.nova_placement.nova_placement }} {{- $mounts_nova_placement_init := .Values.pod.mounts.nova_placement.init_container }} + +{{- $serviceAccountName := "nova-placement-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "placement" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/deployment-scheduler.yaml b/nova/templates/deployment-scheduler.yaml index 33a0784ce5..ce36befba1 100644 --- a/nova/templates/deployment-scheduler.yaml +++ b/nova/templates/deployment-scheduler.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_scheduler }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.scheduler }} + {{- $mounts_nova_scheduler := .Values.pod.mounts.nova_scheduler.nova_conductor }} {{- $mounts_nova_scheduler_init := .Values.pod.mounts.nova_scheduler.init_container }} + +{{- $serviceAccountName := "nova-scheduler" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "nova" "scheduler" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/nova/templates/job-bootstrap.yaml b/nova/templates/job-bootstrap.yaml index 85b5264bbd..30ce26d5d5 100644 --- a/nova/templates/job-bootstrap.yaml +++ b/nova/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_nova_bootstrap := .Values.pod.mounts.nova_bootstrap.nova_bootstrap }} {{- $mounts_nova_bootstrap_init := .Values.pod.mounts.nova_bootstrap.init_container }} + +{{- $serviceAccountName := "nova-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "nova" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} diff --git a/nova/templates/job-cell-setup.yaml b/nova/templates/job-cell-setup.yaml index 9529a6f578..78233ae749 100644 --- a/nova/templates/job-cell-setup.yaml +++ b/nova/templates/job-cell-setup.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_cell_setup }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.cell_setup }} + +{{- $serviceAccountName := "nova-cell-setup" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "nova" "cell-setup" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: nova-cell-setup image: {{ .Values.images.tags.cell_setup }} diff --git a/nova/templates/job-db-drop.yaml b/nova/templates/job-db-drop.yaml index 9a8d850753..1f5c3d9abd 100644 --- a/nova/templates/job-db-drop.yaml +++ b/nova/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "nova-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: nova-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "nova-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "nova" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: nova-db-drop image: {{ .Values.images.tags.db_drop }} diff --git a/nova/templates/job-db-init.yaml b/nova/templates/job-db-init.yaml index 59f6a33d9a..b4dc730b19 100644 --- a/nova/templates/job-db-init.yaml +++ b/nova/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "nova-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "nova" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: nova-db-init image: {{ .Values.images.tags.db_init }} diff --git a/nova/templates/job-db-sync.yaml b/nova/templates/job-db-sync.yaml index db6cd67d77..5668d9e182 100644 --- a/nova/templates/job-db-sync.yaml +++ b/nova/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "nova-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "nova" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: nova-db-sync image: {{ .Values.images.tags.db_sync }} diff --git a/nova/templates/job-ks-endpoints.yaml b/nova/templates/job-ks-endpoints.yaml index 3eae18c757..b49680e614 100644 --- a/nova/templates/job-ks-endpoints.yaml +++ b/nova/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "nova-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "nova" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "compute" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/nova/templates/job-ks-placement-endpoints.yaml b/nova/templates/job-ks-placement-endpoints.yaml index 8001459006..d7bae5df2c 100644 --- a/nova/templates/job-ks-placement-endpoints.yaml +++ b/nova/templates/job-ks-placement-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_placement_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "placement-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "placement" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "placement" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/nova/templates/job-ks-placement-service.yaml b/nova/templates/job-ks-placement-service.yaml index 84d38a958b..b8a2570912 100644 --- a/nova/templates/job-ks-placement-service.yaml +++ b/nova/templates/job-ks-placement-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_placement_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "placement-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "placement" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "placement" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/nova/templates/job-ks-placement-user.yaml b/nova/templates/job-ks-placement-user.yaml index 1751eb4867..91839a52de 100644 --- a/nova/templates/job-ks-placement-user.yaml +++ b/nova/templates/job-ks-placement-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_placement_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "placement-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "placement" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: placement-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/nova/templates/job-ks-service.yaml b/nova/templates/job-ks-service.yaml index 8fa52a1452..d0a549afe8 100644 --- a/nova/templates/job-ks-service.yaml +++ b/nova/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "nova-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "nova" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "compute" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/nova/templates/job-ks-user.yaml b/nova/templates/job-ks-user.yaml index d85554b210..f795c32c70 100644 --- a/nova/templates/job-ks-user.yaml +++ b/nova/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "nova-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "nova" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.job.node_selector_key }}: {{ .Values.labels.job.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: nova-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/openvswitch/templates/daemonset-ovs-db.yaml b/openvswitch/templates/daemonset-ovs-db.yaml index 3d2cbde0a7..ac709d881d 100644 --- a/openvswitch/templates/daemonset-ovs-db.yaml +++ b/openvswitch/templates/daemonset-ovs-db.yaml @@ -16,6 +16,10 @@ limitations under the License. {{- if .Values.manifests.daemonset_ovs_db }} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.db }} + +{{- $serviceAccountName := "openvswitch-db" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -30,10 +34,13 @@ spec: annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: true + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: openvswitch-db image: {{ .Values.images.tags.openvswitch_db_server }} diff --git a/openvswitch/templates/daemonset-ovs-vswitchd.yaml b/openvswitch/templates/daemonset-ovs-vswitchd.yaml index d3bf8198ec..d102ab37a3 100644 --- a/openvswitch/templates/daemonset-ovs-vswitchd.yaml +++ b/openvswitch/templates/daemonset-ovs-vswitchd.yaml @@ -16,6 +16,10 @@ limitations under the License. {{- if .Values.manifests.daemonset_ovs_vswitchd }} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.vswitchd }} + +{{- $serviceAccountName := "openvswitch-vswitchd" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: extensions/v1beta1 kind: DaemonSet @@ -30,11 +34,13 @@ spec: annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} nodeSelector: {{ .Values.labels.ovs.node_selector_key }}: {{ .Values.labels.ovs.node_selector_value }} dnsPolicy: ClusterFirstWithHostNet hostNetwork: true initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: openvswitch-vswitchd-modules image: {{ .Values.images.tags.openvswitch_vswitchd }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/openvswitch/values.yaml b/openvswitch/values.yaml index 837fb0591a..925a8fb2b8 100644 --- a/openvswitch/values.yaml +++ b/openvswitch/values.yaml @@ -23,6 +23,7 @@ images: tags: openvswitch_db_server: docker.io/kolla/ubuntu-source-openvswitch-db-server:3.0.3 openvswitch_vswitchd: docker.io/kolla/ubuntu-source-openvswitch-vswitchd:3.0.3 + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: "IfNotPresent" labels: @@ -79,6 +80,10 @@ pod: memory: "1024Mi" cpu: "2000m" +dependencies: + vswitchd: null + db: null + manifests: configmap_bin: true daemonset_ovs_db: true diff --git a/postgresql/templates/statefulset.yaml b/postgresql/templates/statefulset.yaml index 404aae0ab5..13c686ab3f 100644 --- a/postgresql/templates/statefulset.yaml +++ b/postgresql/templates/statefulset.yaml @@ -15,6 +15,10 @@ limitations under the License. */}} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.postgresql }} + +{{- $serviceAccountName := "postgresql" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -28,10 +32,13 @@ spec: labels: {{ tuple $envAll "postgresql" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "postgresql" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} + initContainers: +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: postgresql image: {{ .Values.images.tags.postgresql }} diff --git a/postgresql/values.yaml b/postgresql/values.yaml index c297516ddc..6e45c89064 100644 --- a/postgresql/values.yaml +++ b/postgresql/values.yaml @@ -40,6 +40,7 @@ pod: images: tags: postgresql: "docker.io/postgres:9.5" + dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1 pull_policy: IfNotPresent storage: @@ -55,6 +56,10 @@ labels: node_selector_key: openstack-control-plane node_selector_value: enabled +dependencies: + postgresql: + jobs: null + endpoints: cluster_domain_suffix: cluster.local postgresql: diff --git a/rabbitmq/templates/deployment.yaml b/rabbitmq/templates/deployment.yaml index d971d6f264..05ded8a887 100644 --- a/rabbitmq/templates/deployment.yaml +++ b/rabbitmq/templates/deployment.yaml @@ -15,7 +15,11 @@ limitations under the License. */}} {{- $envAll := . }} -{{- $dependencies := .Values.dependencies }} +{{- $dependencies := .Values.dependencies.rabbitmq }} + +{{- $serviceAccountName := "rabbitmq" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- kind: Deployment apiVersion: apps/v1beta1 metadata: @@ -31,12 +35,13 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "rabbitmq" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 9 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 9 }} containers: - name: rabbitmq image: {{ .Values.images.tags.rabbitmq }} diff --git a/rabbitmq/values.yaml b/rabbitmq/values.yaml index adb407605e..bac22e44a2 100644 --- a/rabbitmq/values.yaml +++ b/rabbitmq/values.yaml @@ -88,6 +88,7 @@ probes_delay: 180 probes_timeout: 10 dependencies: - services: - - service: etcd - endpoint: internal + rabbitmq: + services: + - service: etcd + endpoint: internal diff --git a/rally/templates/job-bootstrap.yaml b/rally/templates/job-bootstrap.yaml index 68ceb37949..0d09511dea 100644 --- a/rally/templates/job-bootstrap.yaml +++ b/rally/templates/job-bootstrap.yaml @@ -18,8 +18,12 @@ limitations under the License. {{- $envAll := . }} {{- if .Values.bootstrap.enabled }} {{- $dependencies := .Values.dependencies.bootstrap }} + {{- $mounts_rally_bootstrap := .Values.pod.mounts.rally_bootstrap.rally_bootstrap }} {{- $mounts_rally_bootstrap_init := .Values.pod.mounts.rally_bootstrap.init_container }} + +{{- $serviceAccountName := "rally-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +35,7 @@ spec: labels: {{ tuple $envAll "rally" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/rally/templates/job-db-init.yaml b/rally/templates/job-db-init.yaml index 9eed22c632..42b915d336 100644 --- a/rally/templates/job-db-init.yaml +++ b/rally/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "rally-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "rally" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: rally-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/rally/templates/job-ks-endpoints.yaml b/rally/templates/job-ks-endpoints.yaml index 6065de267b..a035e2179a 100644 --- a/rally/templates/job-ks-endpoints.yaml +++ b/rally/templates/job-ks-endpoints.yaml @@ -16,6 +16,9 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "rally-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -27,11 +30,12 @@ spec: labels: {{ tuple $envAll "rally" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "benchmark" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/rally/templates/job-ks-service.yaml b/rally/templates/job-ks-service.yaml index 270e8e6f9d..5c36490c4d 100644 --- a/rally/templates/job-ks-service.yaml +++ b/rally/templates/job-ks-service.yaml @@ -16,6 +16,9 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "rally-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -27,11 +30,12 @@ spec: labels: {{ tuple $envAll "rally" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "benchmark" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/rally/templates/job-ks-user.yaml b/rally/templates/job-ks-user.yaml index 403875f8e7..fb8b1717d5 100644 --- a/rally/templates/job-ks-user.yaml +++ b/rally/templates/job-ks-user.yaml @@ -16,6 +16,9 @@ limitations under the License. {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "rally-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -27,11 +30,12 @@ spec: labels: {{ tuple $envAll "rally" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: rally-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/rally/templates/job-manage-db.yaml b/rally/templates/job-manage-db.yaml index f7ff12ab28..5cc7456c38 100644 --- a/rally/templates/job-manage-db.yaml +++ b/rally/templates/job-manage-db.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_manage_db }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.manage_db }} + +{{- $serviceAccountName := "rally-manage-db" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "rally" "manage-db" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: rally-manage-db image: {{ .Values.images.tags.manage_db }} diff --git a/rally/templates/job-run-task.yaml b/rally/templates/job-run-task.yaml index 57d6322875..3b472a9084 100644 --- a/rally/templates/job-run-task.yaml +++ b/rally/templates/job-run-task.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_run_task }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.run_task }} + +{{- $serviceAccountName := "rally-run-task" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "rally" "run-task" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - name: rally-run-task-init image: {{ .Values.images.tags.run_task }} imagePullPolicy: {{ .Values.images.pull_policy }} diff --git a/senlin/templates/deployment-api.yaml b/senlin/templates/deployment-api.yaml index 110413c54e..93f66333d4 100644 --- a/senlin/templates/deployment-api.yaml +++ b/senlin/templates/deployment-api.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.api }} + {{- $mounts_senlin_api := .Values.pod.mounts.senlin_api.senlin_api }} {{- $mounts_senlin_api_init := .Values.pod.mounts.senlin_api.init_container }} + +{{- $serviceAccountName := "senlin-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +39,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "senlin" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/senlin/templates/job-bootstrap.yaml b/senlin/templates/job-bootstrap.yaml index a631a47130..0630b46779 100644 --- a/senlin/templates/job-bootstrap.yaml +++ b/senlin/templates/job-bootstrap.yaml @@ -20,6 +20,9 @@ limitations under the License. {{- $dependencies := .Values.dependencies.bootstrap }} {{- $mounts_senlin_bootstrap := .Values.pod.mounts.senlin_bootstrap.senlin_bootstrap }} {{- $mounts_senlin_bootstrap_init := .Values.pod.mounts.senlin_bootstrap.init_container }} + +{{- $serviceAccountName := "senlin-bootstrap" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -31,6 +34,7 @@ spec: labels: {{ tuple $envAll "senlin" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} diff --git a/senlin/templates/job-db-drop.yaml b/senlin/templates/job-db-drop.yaml index ca9a03ba98..1172e42576 100644 --- a/senlin/templates/job-db-drop.yaml +++ b/senlin/templates/job-db-drop.yaml @@ -17,11 +17,16 @@ limitations under the License. {{- if .Values.manifests.job_db_drop }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_drop }} + +{{- $randStringSuffix := randAlphaNum 5 | lower }} + +{{- $serviceAccountName := print "senlin-db-drop-" $randStringSuffix }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: senlin-db-drop-{{ randAlphaNum 5 | lower }} + name: {{ print "senlin-db-drop-" $randStringSuffix }} annotations: "helm.sh/hook": pre-delete "helm.sh/hook-delete-policy": hook-succeeded @@ -31,11 +36,12 @@ spec: labels: {{ tuple $envAll "senlin" "db-drop" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: senlin-db-drop image: {{ .Values.images.tags.db_drop | quote }} diff --git a/senlin/templates/job-db-init.yaml b/senlin/templates/job-db-init.yaml index 7c11ed66fc..daf6d377e1 100644 --- a/senlin/templates/job-db-init.yaml +++ b/senlin/templates/job-db-init.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_init }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_init }} + +{{- $serviceAccountName := "senlin-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "senlin" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: senlin-db-init image: {{ .Values.images.tags.db_init | quote }} diff --git a/senlin/templates/job-db-sync.yaml b/senlin/templates/job-db-sync.yaml index d9e48e444f..bc94b7bc57 100644 --- a/senlin/templates/job-db-sync.yaml +++ b/senlin/templates/job-db-sync.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_db_sync }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.db_sync }} + +{{- $serviceAccountName := "senlin-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "senlin" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: senlin-db-sync image: {{ .Values.images.tags.senlin_db_sync }} diff --git a/senlin/templates/job-ks-endpoints.yaml b/senlin/templates/job-ks-endpoints.yaml index 148da70a7d..5f283c4bcd 100644 --- a/senlin/templates/job-ks-endpoints.yaml +++ b/senlin/templates/job-ks-endpoints.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} + +{{- $serviceAccountName := "senlin-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "senlin" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "clustering" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/senlin/templates/job-ks-service.yaml b/senlin/templates/job-ks-service.yaml index 15eb29488a..6fa2b257c0 100644 --- a/senlin/templates/job-ks-service.yaml +++ b/senlin/templates/job-ks-service.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} + +{{- $serviceAccountName := "senlin-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "senlin" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "clustering" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/senlin/templates/job-ks-user.yaml b/senlin/templates/job-ks-user.yaml index c62af66740..5ec4f17dff 100644 --- a/senlin/templates/job-ks-user.yaml +++ b/senlin/templates/job-ks-user.yaml @@ -17,6 +17,9 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} + +{{- $serviceAccountName := "senlin-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +31,12 @@ spec: labels: {{ tuple $envAll "senlin" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: senlin-ks-user image: {{ .Values.images.tags.ks_user }} diff --git a/senlin/templates/statefulset-engine.yaml b/senlin/templates/statefulset-engine.yaml index 2a8076bc13..7bdbe21a14 100644 --- a/senlin/templates/statefulset-engine.yaml +++ b/senlin/templates/statefulset-engine.yaml @@ -17,8 +17,12 @@ limitations under the License. {{- if .Values.manifests.statefulset_engine }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.engine }} + {{- $mounts_senlin_engine := .Values.pod.mounts.senlin_engine.senlin_engine }} {{- $mounts_senlin_engine_init := .Values.pod.mounts.senlin_engine.init_container }} + +{{- $serviceAccountName := "senlin-engine" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -32,6 +36,7 @@ spec: labels: {{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "senlin" "engine" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/tools/deployment/developer/02-setup-client.sh b/tools/deployment/developer/02-setup-client.sh index 81075d1198..b71c1b7a2b 100755 --- a/tools/deployment/developer/02-setup-client.sh +++ b/tools/deployment/developer/02-setup-client.sh @@ -34,8 +34,5 @@ clouds: EOF sudo -H chown -R $(id -un): /etc/openstack -#NOTE: Relax RBAC -kubectl replace -f ./tools/kubeadm-aio/assets/opt/rbac/dev.yaml - #NOTE: Build charts make all diff --git a/tools/deployment/developer/12-glance.sh b/tools/deployment/developer/12-glance.sh index 5d15d45684..7873a3d500 100755 --- a/tools/deployment/developer/12-glance.sh +++ b/tools/deployment/developer/12-glance.sh @@ -27,7 +27,7 @@ helm install ./glance \ --set storage=${GLANCE_BACKEND} #NOTE: Wait for deploy -./tools/deployment/developer/wait-for-pods.sh openstack +./tools/deployment/developer/wait-for-pods.sh openstack 600 #NOTE: Validate Deployment info helm status glance