Merge "Upversion helm charts to v0.13.1"
This commit is contained in:
Zuul
Gerrit Code Review
commit
5c5c967215
@ -1 +1 @@
|
||||
portieris-0.7.0.tgz#portieris#https://github.com/IBM/portieris/archive/0.7.0.tar.gz#http##
|
||||
portieris-0.13.1.tgz#portieris#https://github.com/IBM/portieris/archive/refs/tags/v0.13.1.tar.gz#http##
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From 0eff41601723e51d975af4e4663dc788bb067f0a Mon Sep 17 00:00:00 2001
|
||||
From: Jerry Sun <jerry.sun@windriver.com>
|
||||
Date: Mon, 16 Jan 2023 11:35:58 -0500
|
||||
Subject: [PATCH 1/1] Add permissive cluster policy by default
|
||||
|
||||
The default permissive policy is only added if the policy set is
|
||||
set to IKS. In the non IKS case, no default cluster image policy
|
||||
is created. This means all pod deployment is denied in all
|
||||
namespaces that don't have any imagepolicies. This patch applies
|
||||
the default permissive cluster image policy to not interfere with
|
||||
platform functionality when Portieris is applied.
|
||||
|
||||
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
|
||||
---
|
||||
helm/portieris/templates/policies.yaml | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/helm/portieris/templates/policies.yaml b/helm/portieris/templates/policies.yaml
|
||||
index 6e67ffc..ed8c84f 100644
|
||||
--- a/helm/portieris/templates/policies.yaml
|
||||
+++ b/helm/portieris/templates/policies.yaml
|
||||
@@ -65,7 +65,6 @@ spec:
|
||||
---
|
||||
{{ end }}
|
||||
|
||||
-{{- if (eq .Values.PolicySet "IKS") }}
|
||||
apiVersion: portieris.cloud.ibm.com/v1
|
||||
kind: ClusterImagePolicy
|
||||
metadata:
|
||||
@@ -77,4 +76,3 @@ spec:
|
||||
repositories:
|
||||
{{- .Values.clusterPolicy.allowedRepositories | toYaml | nindent 4 }}
|
||||
---
|
||||
-{{ end }}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,28 +0,0 @@
|
||||
From 77a11903c2486d07cd3b078f99476b3a855fdce0 Mon Sep 17 00:00:00 2001
|
||||
From: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
Date: Mon, 18 Jan 2021 17:02:39 -0500
|
||||
Subject: [PATCH] add image pull secrets to images
|
||||
|
||||
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
---
|
||||
helm/portieris/templates/deployment.yaml | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
|
||||
index b72c599..d8f3590 100644
|
||||
--- a/helm/portieris/templates/deployment.yaml
|
||||
+++ b/helm/portieris/templates/deployment.yaml
|
||||
@@ -21,6 +21,10 @@ spec:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ {{ if .Values.image.host }}
|
||||
+ imagePullSecrets:
|
||||
+ - name: default-registry-key
|
||||
+ {{ end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From b5defc7482fa8a0b1ad7c96a1ad8d8b578fb7d2c Mon Sep 17 00:00:00 2001
|
||||
From: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
Date: Wed, 1 Sep 2021 10:34:54 -0400
|
||||
Subject: [PATCH 3/4] add toggle to reinstall the admission webhook
|
||||
|
||||
The backup and restore procedure will set ReapplyAdmissionWebhook to
|
||||
true to force an "upgrade" of an already installed Portieris
|
||||
application. The webhooks job is run on the helm chart's post-upgrade
|
||||
hook. The chart value ReapplyAdmissionWebhook is reserved to simplify
|
||||
its handling by backup and restore.
|
||||
|
||||
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 4 ++++
|
||||
helm/portieris/values.yaml | 4 ++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index 04bb56a..7773413 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -4,7 +4,11 @@ metadata:
|
||||
name: create-admission-webhooks
|
||||
namespace: {{ .Values.namespace }}
|
||||
annotations:
|
||||
+ {{ if .Values.ReapplyAdmissionWebhook }}
|
||||
+ helm.sh/hook: post-install,post-upgrade
|
||||
+ {{ else }}
|
||||
helm.sh/hook: post-install
|
||||
+ {{ end }}
|
||||
helm.sh/hook-weight: "5"
|
||||
helm.sh/hook-delete-policy: hook-succeeded
|
||||
labels:
|
||||
diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml
|
||||
index 8b1a13e..d73d6f2 100644
|
||||
--- a/helm/portieris/values.yaml
|
||||
+++ b/helm/portieris/values.yaml
|
||||
@@ -29,6 +29,10 @@ SkipSecretCreation: false
|
||||
# If using cert-manager to handle secrets
|
||||
UseCertManager: false
|
||||
|
||||
+# Set to force helm upgrade, rerun the create-admission-webhooks job
|
||||
+# This value is reserved for the StarlingX backup and restore procedure
|
||||
+ReapplyAdmissionWebhook: false
|
||||
+
|
||||
# Resoures defined to assist scheduling
|
||||
# request is typical x10, limit is typical x100
|
||||
resources:
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
From 8a6d884de01c2ce8ad9f68284b69a0ae2e5dea2a Mon Sep 17 00:00:00 2001
|
||||
From: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
Date: Wed, 1 Sep 2021 18:54:44 -0400
|
||||
Subject: [PATCH 4/4] run admission webhooks as non-root
|
||||
|
||||
With pod security policies enabled the webhooks will not run as root,
|
||||
with "Error: container has runAsNonRoot and image will run as root".
|
||||
|
||||
Copy the securityContext from portieris chart, run as 'portieris'
|
||||
service account.
|
||||
|
||||
Fix subsequent jobs that fail with the absent securityContext,
|
||||
permissions. Add patch verb to customresourcedefinitions for portieris
|
||||
service add account.
|
||||
|
||||
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 3 +++
|
||||
.../admission-webhooks/delete-admission-webhooks.yaml | 3 +++
|
||||
helm/portieris/templates/clusterrole.yaml | 4 ++--
|
||||
helm/portieris/templates/crd-creation/create-crds.yaml | 4 +++-
|
||||
helm/portieris/templates/crd-creation/delete-crds.yaml | 4 +++-
|
||||
.../templates/crd-creation/validate-crd-creation.yaml | 4 +++-
|
||||
6 files changed, 17 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index 7773413..cbe0eb7 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -44,3 +44,6 @@ spec:
|
||||
configMap:
|
||||
name: admission-webhooks
|
||||
restartPolicy: OnFailure
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
index ce34927..dd8c259 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
@@ -40,3 +40,6 @@ spec:
|
||||
configMap:
|
||||
name: admission-webhooks
|
||||
restartPolicy: OnFailure
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml
|
||||
index 67c5912..13b4cb4 100644
|
||||
--- a/helm/portieris/templates/clusterrole.yaml
|
||||
+++ b/helm/portieris/templates/clusterrole.yaml
|
||||
@@ -16,10 +16,10 @@ rules:
|
||||
verbs: ["get", "watch", "list", "create", "patch"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
- verbs: ["get", "create", "delete"]
|
||||
+ verbs: ["get", "create", "delete", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
- verbs: ["get", "create", "delete"]
|
||||
+ verbs: ["get", "create", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets", "serviceaccounts"]
|
||||
verbs: ["get"]
|
||||
diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
index 3ac36f6..13b0ca2 100644
|
||||
--- a/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
@@ -39,4 +39,6 @@ spec:
|
||||
configMap:
|
||||
name: image-policy-crds
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
\ No newline at end of file
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
index 9080511..783fe23 100644
|
||||
--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
@@ -40,4 +40,6 @@ spec:
|
||||
configMap:
|
||||
name: image-policy-crds
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
index 5c68466..d3075da 100644
|
||||
--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
@@ -33,4 +33,6 @@ spec:
|
||||
- imagepolicies.securityenforcement.admission.cloud.ibm.com
|
||||
- clusterimagepolicies.securityenforcement.admission.cloud.ibm.com
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
\ No newline at end of file
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,130 +0,0 @@
|
||||
From ed939af4c374f834f6e15e2f6c3d5cbff53c90ec Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
|
||||
Date: Tue, 28 Sep 2021 11:05:29 -0400
|
||||
Subject: [PATCH] Add toleration to deployment and jobs
|
||||
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 4 ++++
|
||||
.../admission-webhooks/delete-admission-webhooks.yaml | 4 ++++
|
||||
helm/portieris/templates/crd-creation/create-crds.yaml | 4 ++++
|
||||
helm/portieris/templates/crd-creation/delete-crds.yaml | 4 ++++
|
||||
.../templates/crd-creation/validate-crd-creation.yaml | 4 ++++
|
||||
.../templates/default/create-default-policies.yaml | 6 +++++-
|
||||
helm/portieris/templates/deployment.yaml | 4 ++++
|
||||
7 files changed, 29 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index cbe0eb7..fe3e5c2 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -27,6 +27,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
index dd8c259..e8edc3d 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
index 13b0ca2..2033ee6 100644
|
||||
--- a/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
index 783fe23..894598a 100644
|
||||
--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
index d3075da..58e501e 100644
|
||||
--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
index 31a38c0..fae1597 100644
|
||||
--- a/helm/portieris/templates/default/create-default-policies.yaml
|
||||
+++ b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
@@ -39,4 +43,4 @@ spec:
|
||||
configMap:
|
||||
name: default-image-policies
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
\ No newline at end of file
|
||||
+
|
||||
diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
|
||||
index d8f3590..e6c4184 100644
|
||||
--- a/helm/portieris/templates/deployment.yaml
|
||||
+++ b/helm/portieris/templates/deployment.yaml
|
||||
@@ -25,6 +25,10 @@ spec:
|
||||
imagePullSecrets:
|
||||
- name: default-registry-key
|
||||
{{ end }}
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,119 +0,0 @@
|
||||
From ed8b4b884a2a73b07934461206db66adf8da8218 Mon Sep 17 00:00:00 2001
|
||||
From: Boovan Rajendran <boovan.rajendran@windriver.com>
|
||||
Date: Fri, 28 Oct 2022 10:37:56 -0400
|
||||
Subject: [PATCH] Add toleration to deployment and jobs
|
||||
|
||||
The tolerations address the nodeselectors for kubernetes versions 1.24 and earlier.
|
||||
|
||||
Signed-off-by: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 3 +++
|
||||
.../admission-webhooks/delete-admission-webhooks.yaml | 3 +++
|
||||
helm/portieris/templates/crd-creation/create-crds.yaml | 3 +++
|
||||
helm/portieris/templates/crd-creation/delete-crds.yaml | 3 +++
|
||||
.../templates/crd-creation/validate-crd-creation.yaml | 3 +++
|
||||
helm/portieris/templates/default/create-default-policies.yaml | 3 +++
|
||||
helm/portieris/templates/deployment.yaml | 3 +++
|
||||
7 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index fe3e5c2..6674602 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -31,6 +31,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
index e8edc3d..abd1538 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
index 2033ee6..1237920 100644
|
||||
--- a/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
index 894598a..b0a3c0a 100644
|
||||
--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
index 58e501e..430c1ab 100644
|
||||
--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
index fae1597..6f55ccc 100644
|
||||
--- a/helm/portieris/templates/default/create-default-policies.yaml
|
||||
+++ b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
|
||||
index e6c4184..7835f29 100644
|
||||
--- a/helm/portieris/templates/deployment.yaml
|
||||
+++ b/helm/portieris/templates/deployment.yaml
|
||||
@@ -29,6 +29,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@ -1,6 +1 @@
|
||||
0001-Squash-required-portieris-fixes.patch
|
||||
0002-add-image-pull-secrets-to-images.patch
|
||||
0003-add-toggle-to-reinstall-the-admission-webhook.patch
|
||||
0004-run-admission-webhooks-as-non-root.patch
|
||||
0005-add-toleration.patch
|
||||
0006-Add-toleration-to-deployment-and-jobs.patch
|
||||
0001-Add-permissive-cluster-policy-by-default.patch
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
export ROOT = debian/tmp
|
||||
export CHART_FOLDER = $(ROOT)/usr/lib/helm
|
||||
export PORTIERIS_VERSION = 0.7.0
|
||||
export PORTIERIS_VERSION = v0.13.1
|
||||
export PORTIERIS_TARBALL = portieris-$(PORTIERIS_VERSION).tgz
|
||||
|
||||
%:
|
||||
|
||||
@ -2,9 +2,9 @@
|
||||
debname: portieris-helm
|
||||
debver: 1.0-1
|
||||
dl_path:
|
||||
name: portieris-0.7.0.tgz
|
||||
url: https://github.com/IBM/portieris/archive/0.7.0.tar.gz
|
||||
md5sum: ef9c907c5fe0e49db91fd0072d39111e
|
||||
name: portieris-0.13.1.tgz
|
||||
url: https://github.com/IBM/portieris/archive/refs/tags/v0.13.1.tar.gz
|
||||
md5sum: 3c5b2a092172dfd0fd51d4319305680f
|
||||
src_files:
|
||||
- files/metadata.yaml
|
||||
- files/index.yaml
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From 0eff41601723e51d975af4e4663dc788bb067f0a Mon Sep 17 00:00:00 2001
|
||||
From: Jerry Sun <jerry.sun@windriver.com>
|
||||
Date: Mon, 16 Jan 2023 11:35:58 -0500
|
||||
Subject: [PATCH 1/1] Add permissive cluster policy by default
|
||||
|
||||
The default permissive policy is only added if the policy set is
|
||||
set to IKS. In the non IKS case, no default cluster image policy
|
||||
is created. This means all pod deployment is denied in all
|
||||
namespaces that don't have any imagepolicies. This patch applies
|
||||
the default permissive cluster image policy to not interfere with
|
||||
platform functionality when Portieris is applied.
|
||||
|
||||
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
|
||||
---
|
||||
helm/portieris/templates/policies.yaml | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/helm/portieris/templates/policies.yaml b/helm/portieris/templates/policies.yaml
|
||||
index 6e67ffc..ed8c84f 100644
|
||||
--- a/helm/portieris/templates/policies.yaml
|
||||
+++ b/helm/portieris/templates/policies.yaml
|
||||
@@ -65,7 +65,6 @@ spec:
|
||||
---
|
||||
{{ end }}
|
||||
|
||||
-{{- if (eq .Values.PolicySet "IKS") }}
|
||||
apiVersion: portieris.cloud.ibm.com/v1
|
||||
kind: ClusterImagePolicy
|
||||
metadata:
|
||||
@@ -77,4 +76,3 @@ spec:
|
||||
repositories:
|
||||
{{- .Values.clusterPolicy.allowedRepositories | toYaml | nindent 4 }}
|
||||
---
|
||||
-{{ end }}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,28 +0,0 @@
|
||||
From 77a11903c2486d07cd3b078f99476b3a855fdce0 Mon Sep 17 00:00:00 2001
|
||||
From: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
Date: Mon, 18 Jan 2021 17:02:39 -0500
|
||||
Subject: [PATCH] add image pull secrets to images
|
||||
|
||||
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
---
|
||||
helm/portieris/templates/deployment.yaml | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
|
||||
index b72c599..d8f3590 100644
|
||||
--- a/helm/portieris/templates/deployment.yaml
|
||||
+++ b/helm/portieris/templates/deployment.yaml
|
||||
@@ -21,6 +21,10 @@ spec:
|
||||
release: {{ .Release.Name }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ {{ if .Values.image.host }}
|
||||
+ imagePullSecrets:
|
||||
+ - name: default-registry-key
|
||||
+ {{ end }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From b5defc7482fa8a0b1ad7c96a1ad8d8b578fb7d2c Mon Sep 17 00:00:00 2001
|
||||
From: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
Date: Wed, 1 Sep 2021 10:34:54 -0400
|
||||
Subject: [PATCH 3/4] add toggle to reinstall the admission webhook
|
||||
|
||||
The backup and restore procedure will set ReapplyAdmissionWebhook to
|
||||
true to force an "upgrade" of an already installed Portieris
|
||||
application. The webhooks job is run on the helm chart's post-upgrade
|
||||
hook. The chart value ReapplyAdmissionWebhook is reserved to simplify
|
||||
its handling by backup and restore.
|
||||
|
||||
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 4 ++++
|
||||
helm/portieris/values.yaml | 4 ++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index 04bb56a..7773413 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -4,7 +4,11 @@ metadata:
|
||||
name: create-admission-webhooks
|
||||
namespace: {{ .Values.namespace }}
|
||||
annotations:
|
||||
+ {{ if .Values.ReapplyAdmissionWebhook }}
|
||||
+ helm.sh/hook: post-install,post-upgrade
|
||||
+ {{ else }}
|
||||
helm.sh/hook: post-install
|
||||
+ {{ end }}
|
||||
helm.sh/hook-weight: "5"
|
||||
helm.sh/hook-delete-policy: hook-succeeded
|
||||
labels:
|
||||
diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml
|
||||
index 8b1a13e..d73d6f2 100644
|
||||
--- a/helm/portieris/values.yaml
|
||||
+++ b/helm/portieris/values.yaml
|
||||
@@ -29,6 +29,10 @@ SkipSecretCreation: false
|
||||
# If using cert-manager to handle secrets
|
||||
UseCertManager: false
|
||||
|
||||
+# Set to force helm upgrade, rerun the create-admission-webhooks job
|
||||
+# This value is reserved for the StarlingX backup and restore procedure
|
||||
+ReapplyAdmissionWebhook: false
|
||||
+
|
||||
# Resoures defined to assist scheduling
|
||||
# request is typical x10, limit is typical x100
|
||||
resources:
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,105 +0,0 @@
|
||||
From 8a6d884de01c2ce8ad9f68284b69a0ae2e5dea2a Mon Sep 17 00:00:00 2001
|
||||
From: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
Date: Wed, 1 Sep 2021 18:54:44 -0400
|
||||
Subject: [PATCH 4/4] run admission webhooks as non-root
|
||||
|
||||
With pod security policies enabled the webhooks will not run as root,
|
||||
with "Error: container has runAsNonRoot and image will run as root".
|
||||
|
||||
Copy the securityContext from portieris chart, run as 'portieris'
|
||||
service account.
|
||||
|
||||
Fix subsequent jobs that fail with the absent securityContext,
|
||||
permissions. Add patch verb to customresourcedefinitions for portieris
|
||||
service add account.
|
||||
|
||||
Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 3 +++
|
||||
.../admission-webhooks/delete-admission-webhooks.yaml | 3 +++
|
||||
helm/portieris/templates/clusterrole.yaml | 4 ++--
|
||||
helm/portieris/templates/crd-creation/create-crds.yaml | 4 +++-
|
||||
helm/portieris/templates/crd-creation/delete-crds.yaml | 4 +++-
|
||||
.../templates/crd-creation/validate-crd-creation.yaml | 4 +++-
|
||||
6 files changed, 17 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index 7773413..cbe0eb7 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -44,3 +44,6 @@ spec:
|
||||
configMap:
|
||||
name: admission-webhooks
|
||||
restartPolicy: OnFailure
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
index ce34927..dd8c259 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
@@ -40,3 +40,6 @@ spec:
|
||||
configMap:
|
||||
name: admission-webhooks
|
||||
restartPolicy: OnFailure
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml
|
||||
index 67c5912..13b4cb4 100644
|
||||
--- a/helm/portieris/templates/clusterrole.yaml
|
||||
+++ b/helm/portieris/templates/clusterrole.yaml
|
||||
@@ -16,10 +16,10 @@ rules:
|
||||
verbs: ["get", "watch", "list", "create", "patch"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
- verbs: ["get", "create", "delete"]
|
||||
+ verbs: ["get", "create", "delete", "patch"]
|
||||
- apiGroups: ["admissionregistration.k8s.io"]
|
||||
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
|
||||
- verbs: ["get", "create", "delete"]
|
||||
+ verbs: ["get", "create", "delete", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets", "serviceaccounts"]
|
||||
verbs: ["get"]
|
||||
diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
index 3ac36f6..13b0ca2 100644
|
||||
--- a/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
@@ -39,4 +39,6 @@ spec:
|
||||
configMap:
|
||||
name: image-policy-crds
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
\ No newline at end of file
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
index 9080511..783fe23 100644
|
||||
--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
@@ -40,4 +40,6 @@ spec:
|
||||
configMap:
|
||||
name: image-policy-crds
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
index 5c68466..d3075da 100644
|
||||
--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
@@ -33,4 +33,6 @@ spec:
|
||||
- imagepolicies.securityenforcement.admission.cloud.ibm.com
|
||||
- clusterimagepolicies.securityenforcement.admission.cloud.ibm.com
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
\ No newline at end of file
|
||||
+ securityContext:
|
||||
+ runAsUser: {{ .Values.securityContext.runAsUser }}
|
||||
+
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,130 +0,0 @@
|
||||
From ed939af4c374f834f6e15e2f6c3d5cbff53c90ec Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
|
||||
Date: Tue, 28 Sep 2021 11:05:29 -0400
|
||||
Subject: [PATCH] Add toleration to deployment and jobs
|
||||
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 4 ++++
|
||||
.../admission-webhooks/delete-admission-webhooks.yaml | 4 ++++
|
||||
helm/portieris/templates/crd-creation/create-crds.yaml | 4 ++++
|
||||
helm/portieris/templates/crd-creation/delete-crds.yaml | 4 ++++
|
||||
.../templates/crd-creation/validate-crd-creation.yaml | 4 ++++
|
||||
.../templates/default/create-default-policies.yaml | 6 +++++-
|
||||
helm/portieris/templates/deployment.yaml | 4 ++++
|
||||
7 files changed, 29 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index cbe0eb7..fe3e5c2 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -27,6 +27,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
index dd8c259..e8edc3d 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
index 13b0ca2..2033ee6 100644
|
||||
--- a/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
index 783fe23..894598a 100644
|
||||
--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
index d3075da..58e501e 100644
|
||||
--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
index 31a38c0..fae1597 100644
|
||||
--- a/helm/portieris/templates/default/create-default-policies.yaml
|
||||
+++ b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
@@ -23,6 +23,10 @@ spec:
|
||||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
serviceAccountName: portieris
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
@@ -39,4 +43,4 @@ spec:
|
||||
configMap:
|
||||
name: default-image-policies
|
||||
restartPolicy: OnFailure
|
||||
-
|
||||
\ No newline at end of file
|
||||
+
|
||||
diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
|
||||
index d8f3590..e6c4184 100644
|
||||
--- a/helm/portieris/templates/deployment.yaml
|
||||
+++ b/helm/portieris/templates/deployment.yaml
|
||||
@@ -25,6 +25,10 @@ spec:
|
||||
imagePullSecrets:
|
||||
- name: default-registry-key
|
||||
{{ end }}
|
||||
+ tolerations:
|
||||
+ - key: "node-role.kubernetes.io/master"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
|
||||
--
|
||||
2.29.2
|
||||
|
||||
@ -1,119 +0,0 @@
|
||||
From ed8b4b884a2a73b07934461206db66adf8da8218 Mon Sep 17 00:00:00 2001
|
||||
From: Boovan Rajendran <boovan.rajendran@windriver.com>
|
||||
Date: Fri, 28 Oct 2022 10:37:56 -0400
|
||||
Subject: [PATCH] Add toleration to deployment and jobs
|
||||
|
||||
The tolerations address the nodeselectors for kubernetes versions 1.24 and earlier.
|
||||
|
||||
Signed-off-by: Rafael Camargos <RafaelLucas.Camargos@windriver.com>
|
||||
---
|
||||
.../admission-webhooks/create-admission-webhooks.yaml | 3 +++
|
||||
.../admission-webhooks/delete-admission-webhooks.yaml | 3 +++
|
||||
helm/portieris/templates/crd-creation/create-crds.yaml | 3 +++
|
||||
helm/portieris/templates/crd-creation/delete-crds.yaml | 3 +++
|
||||
.../templates/crd-creation/validate-crd-creation.yaml | 3 +++
|
||||
helm/portieris/templates/default/create-default-policies.yaml | 3 +++
|
||||
helm/portieris/templates/deployment.yaml | 3 +++
|
||||
7 files changed, 21 insertions(+)
|
||||
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
index fe3e5c2..6674602 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/create-admission-webhooks.yaml
|
||||
@@ -31,6 +31,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
index e8edc3d..abd1538 100644
|
||||
--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
+++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
index 2033ee6..1237920 100644
|
||||
--- a/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/create-crds.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
index 894598a..b0a3c0a 100644
|
||||
--- a/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/delete-crds.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
index 58e501e..430c1ab 100644
|
||||
--- a/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
+++ b/helm/portieris/templates/crd-creation/validate-crd-creation.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/default/create-default-policies.yaml b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
index fae1597..6f55ccc 100644
|
||||
--- a/helm/portieris/templates/default/create-default-policies.yaml
|
||||
+++ b/helm/portieris/templates/default/create-default-policies.yaml
|
||||
@@ -27,6 +27,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: hyperkube
|
||||
image: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}"
|
||||
diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml
|
||||
index e6c4184..7835f29 100644
|
||||
--- a/helm/portieris/templates/deployment.yaml
|
||||
+++ b/helm/portieris/templates/deployment.yaml
|
||||
@@ -29,6 +29,9 @@ spec:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
+ - key: "node-role.kubernetes.io/control-plane"
|
||||
+ operator: "Exists"
|
||||
+ effect: "NoSchedule"
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
image: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}"
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@ -15,7 +15,7 @@ spec:
|
||||
chart:
|
||||
spec:
|
||||
chart: portieris
|
||||
version: 0.7.0
|
||||
version: 0.13.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: stx-platform
|
||||
|
||||
@ -8,13 +8,15 @@ replicaCount: 3
|
||||
namespace: portieris
|
||||
images:
|
||||
tags:
|
||||
portieris: docker.io/starlingx/portieris:stx.5.0-v0.7.0
|
||||
portieris: icr.io/portieris/portieris:v0.13.1
|
||||
image:
|
||||
host: registry.local:9001/docker.io/starlingx
|
||||
host: registry.local:9001/icr.io/portieris
|
||||
pullSecret: default-registry-key
|
||||
image: portieris
|
||||
tags: stx.5.0-v0.7.0
|
||||
tag: stx.5.0-v0.7.0
|
||||
IBMContainerService: false
|
||||
tag: v0.13.1
|
||||
tolerations:
|
||||
- key: "node-role.kubernetes.io/master"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
SkipSecretCreation: true
|
||||
UseCertManager: true
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user