Enable helm repository and chart upload tool
There's a lot going on here but conceptually we're just enabling a local helm repo along with a helper script to install helm charts into the repo. The first item is to configure lighttpd to serve up helm charts as static information (so no proxying) at http://127.0.0.1/helm_charts". This is fairly straightforward, but the files are served out of /www which isn't a replicated filesystem and which is owned by the www user. The helm puppet manifest is modified to create the "helm_charts" directory for the webserver, to generate the initial index file, and to tell helm to add the new repo for the "wrsroot" user. The various commands are run as specific users with specific environment variables, this is key to making everything work as planned. To allow the wrsroot user to upload charts into /www the helm-upload script will re-run itself as the www user. /etc/sudoers.d is modified to allow this without asking for a password. The upload script will copy the specified charts in to /www/pages/helm_charts, and will then regenerate the index.yaml file. The upload script will then try to sync the files over to the other node. To enable this without prompting for a password we modify /etc/rsyncd.conf to allow passwordless syncing into /www/helm_charts. In a future commit we'll need to sync charts with the other controller when booting up, and also configure the local starlingx helm repo on the second controller. Change-Id: I86a7795decb7833cb22c04e34e298c8d24ed7fa3 Signed-off-by: David Sullivan <david.sullivan@windriver.com> Story: 2002876 Task: 22831 Depends-On: https://review.openstack.org/596802
This commit is contained in:
parent
e70d07a23c
commit
98aa0d5f2b
@ -1,2 +1,2 @@
|
||||
COPY_LIST="$PKG_BASE/files/rsyncd.conf"
|
||||
TIS_PATCH_VER=1
|
||||
TIS_PATCH_VER=2
|
||||
|
@ -49,3 +49,9 @@ read only = yes
|
||||
comment = SSL ca certificate
|
||||
uid = root
|
||||
read only = no
|
||||
|
||||
[helm_charts]
|
||||
path = /www/pages/helm_charts
|
||||
comment = Helm chart repo
|
||||
uid = root
|
||||
read only = no
|
||||
|
@ -1,7 +1,6 @@
|
||||
VERSION=2.9.1
|
||||
TAR_NAME=helm
|
||||
TAR="$TAR_NAME-v$VERSION-linux-amd64.tar.gz"
|
||||
#COPY_LIST="${CGCS_BASE}/downloads/$TAR ${CGCS_BASE}/downloads/tiller-2.9.1-docker-image.tgz"
|
||||
COPY_LIST="${CGCS_BASE}/downloads/$TAR"
|
||||
COPY_LIST="${CGCS_BASE}/downloads/$TAR $FILES_BASE/*"
|
||||
|
||||
TIS_PATCH_VER=2
|
||||
TIS_PATCH_VER=3
|
||||
|
79
kubernetes/helm/centos/files/helm-upload
Normal file
79
kubernetes/helm/centos/files/helm-upload
Normal file
@ -0,0 +1,79 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Copyright (c) 2018 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
# This script takes the names of packaged helm charts as arguments.
|
||||
# It installs them in the on-node helm chart repository and regenerates
|
||||
# the repository index.
|
||||
|
||||
|
||||
# We want to run as the "www" user and scripts can't be setuid. The
|
||||
# sudoers permissions are set up to allow wrsroot to run this script
|
||||
# as the "www" user without a password.
|
||||
if [ $USER != "www" ]; then
|
||||
exec sudo -u www $0 $@
|
||||
fi
|
||||
|
||||
|
||||
RETVAL=0
|
||||
REINDEX=0
|
||||
|
||||
REPO_DIR='/www/pages/helm_charts'
|
||||
|
||||
for FILE in "$@"; do
|
||||
if [ -r $FILE ]; then
|
||||
# QUESTION: should we disallow overwriting an existing file?
|
||||
# The versions are embedded in the filename, so it shouldn't
|
||||
# cause problems.
|
||||
cp $FILE $REPO_DIR
|
||||
if [ $? -ne 0 ]; then
|
||||
echo Problem adding $FILE to helm chart registry.
|
||||
RETVAL=1
|
||||
else
|
||||
REINDEX=1
|
||||
fi
|
||||
else
|
||||
echo Cannot read file ${FILE}.
|
||||
RETVAL=1
|
||||
fi
|
||||
done
|
||||
|
||||
|
||||
# Now re-index the helm repository if we successfully copied in
|
||||
# any new charts.
|
||||
if [ $REINDEX -eq 1 ]; then
|
||||
/usr/sbin/helm repo index $REPO_DIR
|
||||
fi
|
||||
|
||||
if [ ! -f "/etc/platform/simplex" ]; then
|
||||
# We're not a one node system, copy the files to the other
|
||||
# controller if we can
|
||||
if [ $HOSTNAME == "controller-0" ]; then
|
||||
TARGET="controller-1"
|
||||
else
|
||||
TARGET="controller-0"
|
||||
fi
|
||||
|
||||
# We've modified etc/rsyncd.conf to allow access to /www/helm_charts
|
||||
# To avoid races, copy over the index file last.
|
||||
rsync -acv --exclude=index.yaml ${REPO_DIR}/ rsync://${TARGET}/helm_charts
|
||||
if [ $? -ne 0 ]; then
|
||||
echo Problem syncing helm charts to $TARGET
|
||||
RETVAL=1
|
||||
fi
|
||||
|
||||
rsync -acv ${REPO_DIR}/index.yaml rsync://${TARGET}/helm_charts
|
||||
if [ $? -ne 0 ]; then
|
||||
echo Problem syncing helm chart index file to $TARGET
|
||||
RETVAL=1
|
||||
fi
|
||||
fi
|
||||
|
||||
# We also need to sync the helm charts on node startup
|
||||
# in case they were added while the node was down.
|
||||
|
||||
exit $RETVAL
|
3
kubernetes/helm/centos/files/helm.sudo
Normal file
3
kubernetes/helm/centos/files/helm.sudo
Normal file
@ -0,0 +1,3 @@
|
||||
wrsroot ALL=(www) NOPASSWD: /usr/local/sbin/helm-upload
|
||||
|
||||
Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
|
@ -7,7 +7,8 @@ Group: devel
|
||||
Packager: Wind River <info@windriver.com>
|
||||
URL: https://github.com/kubernetes/helm/releases
|
||||
Source0: %{name}-v%{version}-linux-amd64.tar.gz
|
||||
#Source1: tiller-2.9.1-docker-image.tgz
|
||||
Source1: helm-upload
|
||||
Source2: helm.sudo
|
||||
|
||||
Requires: /bin/bash
|
||||
|
||||
@ -20,11 +21,13 @@ Requires: /bin/bash
|
||||
%install
|
||||
install -d %{buildroot}%{_sbindir}
|
||||
install -m 755 ${RPM_BUILD_DIR}/linux-amd64/helm %{buildroot}%{_sbindir}/helm
|
||||
#install -d %{buildroot}%{_sharedstatedir}/tiller
|
||||
#install -m 400 %{SOURCE1} %{buildroot}%{_sharedstatedir}/tiller/tiller-2.9.1-docker-image.tgz
|
||||
install -d %{buildroot}/usr/local/sbin
|
||||
install -m 755 %{SOURCE1} %{buildroot}/usr/local/sbin/helm-upload
|
||||
install -d %{buildroot}%{_sysconfdir}/sudoers.d
|
||||
install -m 440 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudoers.d/helm
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%{_sbindir}/helm
|
||||
#%{_sharedstatedir}/tiller/tiller-2.9.1-docker-image.tgz
|
||||
|
||||
/usr/local/sbin/helm-upload
|
||||
%{_sysconfdir}/sudoers.d/helm
|
||||
|
Loading…
Reference in New Issue
Block a user