From d2b31bfbc453b1dc13a35dc552d1141646ce64d1 Mon Sep 17 00:00:00 2001 From: Oleksandr Didenko Date: Mon, 13 Aug 2018 15:36:38 +0200 Subject: [PATCH] Add RBAC support in Helm chart Added needed RBAC resources to Helm chart to make application properly work on clusters with RBAC enabled. Also some minor labels and resource names improvements. --- helm-chart/externalipcontroller-0.1.1.tgz | Bin 0 -> 2432 bytes helm-chart/externalipcontroller/Chart.yaml | 2 +- .../templates/daemonset.yaml | 23 ++++++- .../templates/deployment.yaml | 41 ++++++++---- .../externalipcontroller/templates/rbac.yaml | 61 ++++++++++++++++++ helm-chart/externalipcontroller/values.yaml | 10 ++- 6 files changed, 118 insertions(+), 19 deletions(-) create mode 100644 helm-chart/externalipcontroller-0.1.1.tgz create mode 100644 helm-chart/externalipcontroller/templates/rbac.yaml diff --git a/helm-chart/externalipcontroller-0.1.1.tgz b/helm-chart/externalipcontroller-0.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7067c402d1c4872daef399d510d47f4b544f21d2 GIT binary patch literal 2432 zcmV-`34itDc zVQyr3R8em|NM&qo0PH$nbK5rZededwpZx1I@s$)MTeia)&s@&V-FVtMp16~nK4l*Z;$V(f;b$;RmC={lRzeD8e^Et_@M&h2cZ_tat7k0V3&p zRGJDN!F=E)sAEN?aqlOBr*x7lgg50ZfwKz@g2U`c!1Ph|4Ia`p~ z-zOFk#3J(mILR=A(~KImfXjlQZbKN(G%jX=$~#)Uc3&y{L^Lro%Dn>JsjL>ciqYva zHAd>F-=9!3&BvBw{}-wVH&pj$N80afKd*)&3}=0s6DWwmt+V+2XG#snxg0u~}yU@()67}SABGcv)*15hZ1rbehm z1lh)=0$|7_0>{L705WInLNFRHA~;LWg}G3uksD9PQ%rJ(Dq1b+m=T(-@D`26y0Z@% z(X$AK`xYe6F&wt;Qs_Tw{gAU<4^)`Y}90=lWlbPXGMvuWv2`b8Q|XW5fC%9PEW_>;Ev^JJ_!O z=YW3-1ry|`2m{KC6-@;PG8VaM#(kR&l=B0KbPK@}{s3xqLor9tJK-%Syqy!0uMi3EdBb*$M$NL22L zFxN;wVsH8-b3XAM>mW-!?~H>`2`cN7Np6H+xDq&%Csy?fAs7gbz!4MYw@H!!l~M>6 z#57Sr`08B|K0#gh^Y<=pcvn+Yxc*&(kVPK@FTs>@>iUk?B$Esy&nxJiW21?RVDM@f z3=WQhFc|J1^@p#lA9TDd34jlNi{zEVLK`~@yJ$zlPTIXs&O&P=Hx;S@OILBxrooRn zTy8jOQFgeVYyEHV{~xBvBq|*k`Q@qL2LC?{_eSgf|8RJ?_5aTSH#hxVnA0o*jmG71 zW+Cx7vu25>7{P9Tx%4cR_vTt!7htC7(ipoS?6dQkfmhP`;MO@p&(ie3udy!642s&q zxn&R(t|PFNZ|A6#-8_B-qjDa@!Jd1h*=3%l^cs48%?x?so(sKB3O`0xGSZx}1^kf{ zMpKH3b-PaE!235A+#S8KGOYF*#u$@aBWRH!{FIMTaWtrlex?*zqQU01jAqp4yGDSq z@#4jJ;cReveraiKw9pdcmmTJ?O0`Y$|Bicfe0SSaEv2H|q|p0b``_yx1n-a`(O9%B z*nY7Yo8h2JLDx3-)@8eWg6+E9?Ar#Fs}!oE^He$-+prMdEIYJz8F+2_^MN;`Jc*jR zco`a!5JQSUP~_32;e5;2vxYA|7NO+k28y_~TsrK{4bT*-&{QJ>_z0B8EKi)G#rIxK zP}}LY%}$H{on4es3K-SKnWoE(orbC8`K7>SxT_R!xOLU57-##%6TF51Lih-Oi;%C~An%Yfw8> zP}dY;xr}aoHe>?JWv|WWqESh_)uJvlHsx!Kb4AVKL~w)GCTavpm;-qIMp7@PqtV{li&Lvq1asz{5t&2@IuBe%Ij&Y+TTDNEwN}IB40Y`2AWnNPa zl$z5RU&pb?xjEnDA^!I>piS`~B@>Gb`9l(bjq(3*upa;SN26{0e-5}?{9nz2RswLZ z0J}PFX*ln{PzG^Zy((^%r#|`<L9qa)$zVw`(Q(HN|`}*oD!<;mK!t| z&izt@M&GxY!K1;3_}?hpeR%?~A^wMh!L9xOK^Si1|8qcD6|LNvJB};Lfa}Osm9$aL zEr`pt^tHRQg?qw=^{>Vxe(*i8P5J*IJX}Bj8*bPC^MH+m4F}-HySx~%TzbCmw~lJu zXOf$#Q1s8@ta^5&11jn>n-i96gX*1N_>gMh#=V87a#q~5B$ED1iCjA7?zP^?lW?hm&m^m@1XmFdG;^9dUF&!{dQuIz5$ZXA&(Qc!Mm zObUN~4~32Ha=qWM=6DGz*nTzttkD!ndL+1#Rm}vt~c;f8<$4POW z?uAsC(rZkLUH<>Q4B#zi3wH%k7Ak>61&neGyx{cm!=(`ly&X6aStdBVKe>d2D(wXm zYWnWCP~Qv2f2zLwtq{{m-~Lpudd~YbqcMqRxpa4*w6`1RE9vb9V>0u01CvQ__dnha yyeEo^T*KMv8|?*B3G2|kfF?-#1)UPVZ@u6awy=e73H}=Z0RR6$H=~;XIsgE(l(r85 literal 0 HcmV?d00001 diff --git a/helm-chart/externalipcontroller/Chart.yaml b/helm-chart/externalipcontroller/Chart.yaml index 9e0e547..0115125 100644 --- a/helm-chart/externalipcontroller/Chart.yaml +++ b/helm-chart/externalipcontroller/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 description: Configure External IPs on k8s worker node(s) to provide IP connectivity. name: externalipcontroller -version: 0.1.0 +version: 0.1.1 keywords: - externalip - external-ip diff --git a/helm-chart/externalipcontroller/templates/daemonset.yaml b/helm-chart/externalipcontroller/templates/daemonset.yaml index 988589f..ca17288 100644 --- a/helm-chart/externalipcontroller/templates/daemonset.yaml +++ b/helm-chart/externalipcontroller/templates/daemonset.yaml @@ -1,16 +1,26 @@ apiVersion: extensions/v1beta1 kind: DaemonSet metadata: - name: {{ .Values.controller.name }} + labels: + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + component: {{ .Values.controller.name }} + name: {{ template "fullname" . }}-{{ .Values.controller.name }} spec: + selector: + matchLabels: + app: {{ template "fullname" . }} + component: {{ .Values.controller.name }} template: metadata: labels: - app: {{ .Chart.Name }} + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + component: {{ .Values.controller.name }} spec: hostNetwork: true containers: - - name: {{ .Chart.Name }} + - name: {{ .Values.controller.name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: @@ -22,3 +32,10 @@ spec: - --logtostderr - --v=5 - --hb=500ms + resources: +{{ toYaml .Values.controller.resources | indent 12 }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + serviceAccountName: {{ template "fullname" . }} diff --git a/helm-chart/externalipcontroller/templates/deployment.yaml b/helm-chart/externalipcontroller/templates/deployment.yaml index 8415f9b..80d842e 100644 --- a/helm-chart/externalipcontroller/templates/deployment.yaml +++ b/helm-chart/externalipcontroller/templates/deployment.yaml @@ -1,26 +1,41 @@ apiVersion: extensions/v1beta1 kind: Deployment metadata: - name: {{ .Values.scheduler.name }} + name: {{ template "fullname" . }}-{{ .Values.scheduler.name }} labels: - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + component: {{ .Values.scheduler.name }} spec: - replicas: {{ .Values.replicaCount }} + replicas: {{ .Values.scheduler.replicaCount }} + selector: + matchLabels: + app: {{ template "fullname" . }} + component: {{ .Values.scheduler.name }} template: metadata: labels: - app: {{ .Values.scheduler.name }} + app: {{ template "fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + component: {{ .Values.scheduler.name }} spec: containers: - - name: {{ .Chart.Name }} + - name: {{ .Values.scheduler.name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: - - ipmanager - - scheduler - - --mask={{ .Values.scheduler.network_mask }} - - --logtostderr - - --v=5 - - --leader-elect=true - - --monitor=4s - - --nodefilter=fair + - ipmanager + - scheduler + - --mask={{ .Values.scheduler.network_mask }} + - --logtostderr + - --v=5 + - --leader-elect=true + - --monitor=4s + - --nodefilter=fair + resources: +{{ toYaml .Values.scheduler.resources | indent 12 }} + {{- with .Values.scheduler.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + serviceAccountName: {{ template "fullname" . }} diff --git a/helm-chart/externalipcontroller/templates/rbac.yaml b/helm-chart/externalipcontroller/templates/rbac.yaml new file mode 100644 index 0000000..57d3077 --- /dev/null +++ b/helm-chart/externalipcontroller/templates/rbac.yaml @@ -0,0 +1,61 @@ +{{- if .Values.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: {{ template "fullname" . }} + name: {{ template "fullname" . }} +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - endpoints + resourceNames: + - "ipclaim-scheduler" + verbs: + - '*' +- apiGroups: + - ipcontroller.ext + resources: + - ipclaims + - ipnodes + verbs: + - '*' +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "fullname" . }} + name: {{ template "fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ template "fullname" . }} + name: {{ template "fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "fullname" . }} +{{- end }} diff --git a/helm-chart/externalipcontroller/values.yaml b/helm-chart/externalipcontroller/values.yaml index ce46c6c..36ff3ed 100644 --- a/helm-chart/externalipcontroller/values.yaml +++ b/helm-chart/externalipcontroller/values.yaml @@ -1,7 +1,6 @@ # Default values for externalipcontroller. # This is a YAML-formatted file. # Declare variables to be passed into your templates. -replicaCount: 2 image: repository: mirantis/k8s-externalipcontroller tag: latest @@ -9,6 +8,13 @@ image: scheduler: name: claimscheduler network_mask: 24 + nodeSelector: {} + replicaCount: 2 + resources: {} controller: - name: claimcontroller interface: docker0 + name: claimcontroller + nodeSelector: {} + resources: {} +rbac: + create: false