From 671db4457a36477bf32df59288865acefeee0b68 Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Tue, 26 Jul 2022 23:39:40 +0530 Subject: [PATCH 1/7] Adding Sagar Utekar to contributor list --- Chart.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Chart.yaml b/Chart.yaml index 2a163901..344a7d94 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -25,6 +25,8 @@ maintainers: email: kooper@illinois.edu - name: Aju Tamang email: aju.775401@ac.tu.edu.np + - name: Sagar Utekar + email: sagarutekar2366@gmail.com # location of source code sources: From 163595d401b2c1cedf9fee1bf5f9589fcfc12b4c Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Tue, 26 Jul 2022 23:43:15 +0530 Subject: [PATCH 2/7] Updating instruction to fetch helm chart dependencies --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 32488c9e..84de6966 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ Bety is a Web-interface to the Biofuel Ecophysiological Traits and Yields Databa ``` helm repo add ncsa https://opensource.ncsa.illinois.edu/charts/ +helm dependency build ``` To install the chart with the release name my-release: From 7f70c580d5748b85f35cc582311245f5a585efed Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Wed, 27 Jul 2022 00:11:14 +0530 Subject: [PATCH 3/7] RBAC for betydb --- templates/deployment.yaml | 2 ++ templates/role.yaml | 21 +++++++++++++++++++++ templates/rolebinding.yaml | 13 +++++++++++++ templates/serviceAccount.yaml | 4 ++++ 4 files changed, 40 insertions(+) create mode 100644 templates/role.yaml create mode 100644 templates/rolebinding.yaml create mode 100644 templates/serviceAccount.yaml diff --git a/templates/deployment.yaml b/templates/deployment.yaml index b9027786..31744e90 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -36,6 +36,8 @@ spec: name: {{ include "betydb.fullname" . }}-logos {{- end }} {{- end }} + serviceAccountName: {{ include "betydb.fullname" . }} + automountServiceAccountToken: false initContainers: - name: check-postgresql image: "{{ $.Values.image.checks }}" diff --git a/templates/role.yaml b/templates/role.yaml new file mode 100644 index 00000000..36b417e4 --- /dev/null +++ b/templates/role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "betydb.fullname" . }} + labels: + {{- include "betydb.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["pods", "endpoints", "Services", "configmaps"] + verbs: + - list + - watch + - get +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - list + - watch + - get \ No newline at end of file diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml new file mode 100644 index 00000000..31773851 --- /dev/null +++ b/templates/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "betydb.fullname" . }} + labels: + {{- include "betydb.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "betydb.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "betydb.fullname" . }} \ No newline at end of file diff --git a/templates/serviceAccount.yaml b/templates/serviceAccount.yaml new file mode 100644 index 00000000..3a3daf9b --- /dev/null +++ b/templates/serviceAccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "betydb.fullname" . }} From 8c8026e6b67b9e69fd05885a1acd7468e5ec84c2 Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Wed, 27 Jul 2022 00:16:59 +0530 Subject: [PATCH 4/7] RBAC for Betydb hooks --- templates/hooks/add-user.yaml | 2 ++ templates/hooks/load-db.yaml | 2 ++ templates/hooks/role.yaml | 16 ++++++++++++++++ templates/hooks/rolebinding.yaml | 13 +++++++++++++ templates/hooks/serviceAccount.yaml | 4 ++++ 5 files changed, 37 insertions(+) create mode 100644 templates/hooks/role.yaml create mode 100644 templates/hooks/rolebinding.yaml create mode 100644 templates/hooks/serviceAccount.yaml diff --git a/templates/hooks/add-user.yaml b/templates/hooks/add-user.yaml index df160cbe..9c36ac5d 100644 --- a/templates/hooks/add-user.yaml +++ b/templates/hooks/add-user.yaml @@ -32,6 +32,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + serviceAccountName: {{ include "betydb.fullname" . }}-hooks + automountServiceAccountToken: false initContainers: #{{- if or .Values.dburl .Values.dbtag }} # - name: check-job diff --git a/templates/hooks/load-db.yaml b/templates/hooks/load-db.yaml index e6e244db..860e46ea 100644 --- a/templates/hooks/load-db.yaml +++ b/templates/hooks/load-db.yaml @@ -33,6 +33,8 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} env: {{- include "betydb.postgresqlEnv" . | nindent 12 }} + serviceAccountName: {{ include "betydb.fullname" . }}-hooks + automountServiceAccountToken: false containers: - name: bety-init {{- if .Values.dburl }} diff --git a/templates/hooks/role.yaml b/templates/hooks/role.yaml new file mode 100644 index 00000000..327f9067 --- /dev/null +++ b/templates/hooks/role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "betydb.fullname" . }} + labels: + {{- include "betydb.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["pods", "endpoints", "Services"] + verbs: + - list + - watch + - get +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/templates/hooks/rolebinding.yaml b/templates/hooks/rolebinding.yaml new file mode 100644 index 00000000..31773851 --- /dev/null +++ b/templates/hooks/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "betydb.fullname" . }} + labels: + {{- include "betydb.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "betydb.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "betydb.fullname" . }} \ No newline at end of file diff --git a/templates/hooks/serviceAccount.yaml b/templates/hooks/serviceAccount.yaml new file mode 100644 index 00000000..3a3daf9b --- /dev/null +++ b/templates/hooks/serviceAccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "betydb.fullname" . }} From b6e74b3b5f596ec497fb1089515d5f21d3c699ff Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Wed, 27 Jul 2022 00:26:16 +0530 Subject: [PATCH 5/7] Renaming role name for betydb hooks --- templates/hooks/role.yaml | 2 +- templates/hooks/serviceAccount.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/hooks/role.yaml b/templates/hooks/role.yaml index 327f9067..4dba8850 100644 --- a/templates/hooks/role.yaml +++ b/templates/hooks/role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "betydb.fullname" . }} + name: {{ include "betydb.fullname" . }}-hooks labels: {{- include "betydb.labels" . | nindent 4 }} rules: diff --git a/templates/hooks/serviceAccount.yaml b/templates/hooks/serviceAccount.yaml index 3a3daf9b..424d8691 100644 --- a/templates/hooks/serviceAccount.yaml +++ b/templates/hooks/serviceAccount.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "betydb.fullname" . }} + name: {{ include "betydb.fullname" . }}-hooks From d4aefb9ad85a609f94d22d2580cb78f116c60ffe Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Wed, 27 Jul 2022 00:27:21 +0530 Subject: [PATCH 6/7] Renaming role name for betydb hooks --- templates/hooks/rolebinding.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/hooks/rolebinding.yaml b/templates/hooks/rolebinding.yaml index 31773851..d69bf001 100644 --- a/templates/hooks/rolebinding.yaml +++ b/templates/hooks/rolebinding.yaml @@ -1,13 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "betydb.fullname" . }} + name: {{ include "betydb.fullname" . }}-hooks labels: {{- include "betydb.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "betydb.fullname" . }} + name: {{ include "betydb.fullname" . }}-hooks subjects: - kind: ServiceAccount - name: {{ include "betydb.fullname" . }} \ No newline at end of file + name: {{ include "betydb.fullname" . }}-hooks \ No newline at end of file From 078a013dee88631faf45fafcbb2f6757073ba70d Mon Sep 17 00:00:00 2001 From: Sagar2366 Date: Wed, 27 Jul 2022 01:12:25 +0530 Subject: [PATCH 7/7] Removing bety hook role extra permissions --- templates/hooks/role.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/hooks/role.yaml b/templates/hooks/role.yaml index 4dba8850..6985843c 100644 --- a/templates/hooks/role.yaml +++ b/templates/hooks/role.yaml @@ -6,7 +6,7 @@ metadata: {{- include "betydb.labels" . | nindent 4 }} rules: - apiGroups: [""] - resources: ["pods", "endpoints", "Services"] + resources: ["pods"] verbs: - list - watch