[occm] OpenStack Cloud Controller Manager Helm Chart (kubernetes#1458)

* bump chart version

* add helm chart openstack-cloud-controller-manager

* revert

* fix yaml

* fix linting

* remove block storage settings

Block storage is managed by cinder-csi-plugin

* Add support for all available options

* Update README with install instructions

* Add myself as maintainer

* add myself as chart maintainer

* Simplify configuration with default values

* add blockStorage rule for cloud.conf

* added blockStorage as value

* fix maintainer names to Github user names

See helm/chart-testing#192

* some more documentation

* move out service LoadBalancer to extra chart

* fix linting

Co-authored-by: Morre <[email protected]>

Author: eumel8

charts/openstack-cloud-controller-manager/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+appVersion: "latest"
+description: Openstack Cloud Controller Manager Helm Chart
+icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png
+home: https://github.com/kubernetes/cloud-provider-openstack
+name: openstack-cloud-controller-manager
+version: 1.0.0
+maintainers:
+  - name: morremeyer
+    email: [email protected]
+    url: https://maurice-meyer.de
+  - name: eumel8
+    email: [email protected]
+    url: https://www.telekom.com

charts/openstack-cloud-controller-manager/README.md

@@ -0,0 +1,35 @@
+# openstack-cloud-controller-manager
+
+Deploys the OpenStack Cloud Controller Manager to your cluster.
+
+Default configuration values are the same as the CCM itself.
+
+## How To install
+
+You need to configure an `openstack-ccm.yaml` values file with at least:
+
+- `cloudConfig.global.auth-url` with the Keystone URL
+- Authentication
+  - with password: `cloudConfig.global.username` and `cloudconfig.global.password`
+  - with application credentials: (`cloudConfig.global.application-credential-id` or `cloudConfig.global.application-credential-name`) and `cloudConfig.global.application-credential-secret`
+- Load balancing
+  - `cloudConfig.loadbalancer.floating-network-id` **or**
+  - `cloudConfig.loadbalancer.floating-subnet-id` **or**
+  - `cloudConfig.loadbalancer.floating-subnet`
+
+If you want to enable health checks for your Load Balancers (optional), set `cloudConfig.loadbalancer.create-monitor: true`.
+
+Then run:
+
+```
+helm repo add cpo https://kubernetes.github.io/cloud-provider-openstack
+helm repo update
+helm install openstack-ccm cpo/openstack-cloud-controller-manager --values openstack-ccm.yaml
+```
+
+## Unsupported configurations
+
+- The chart does not support the mounting of custom `clouds.yaml` files. Therefore, the following config values in the `[Global]` section won’t have any effect:
+  - `use-clouds`
+  - `clouds-file`
+  - `cloud`

charts/openstack-cloud-controller-manager/templates/_helpers.tpl

@@ -0,0 +1,76 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "occm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "occm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels and app labels
+*/}}
+{{- define "occm.labels" -}}
+app.kubernetes.io/name: {{ include "occm.name" . }}
+helm.sh/chart: {{ include "occm.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "occm.common.matchLabels" -}}
+app: {{ template "occm.name" . }}
+release: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "occm.common.metaLabels" -}}
+chart: {{ template "occm.chart" . }}
+heritage: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "occm.controllermanager.matchLabels" -}}
+component: controllermanager
+{{ include "occm.common.matchLabels" . }}
+{{- end -}}
+
+{{- define "occm.controllermanager.labels" -}}
+{{ include "occm.controllermanager.matchLabels" . }}
+{{ include "occm.common.metaLabels" . }}
+{{- end -}}
+
+{{/*
+Create cloud-config makro.
+*/}}
+{{- define "cloudConfig" -}}
+[Global]
+{{- range $key, $value := .Values.cloudConfig.global }}
+{{ $key }} = {{ $value }}
+{{- end }}
+
+[Networking]
+{{- range $key, $value := .Values.cloudConfig.networking }}
+{{ $key }} = {{ $value }}
+{{- end }}
+
+[LoadBalancer]
+{{- range $key, $value := .Values.cloudConfig.loadBalancer }}
+{{ $key }} = {{ $value }}
+{{- end }}
+
+[BlockStorage]
+{{- range $key, $value := .Values.cloudConfig.blockStorage }}
+{{ $key }} = {{ $value }}
+{{- end }}
+
+[Metadata]
+{{- range $key, $value := .Values.cloudConfig.metadata }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end }}

charts/openstack-cloud-controller-manager/templates/clusterrole.yaml

@@ -0,0 +1,81 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:openstack-cloud-controller-manager
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - create
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - list
+  - get
+  - watch

charts/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.serviceMonitor.enabled }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: system:{{ include "occm.name" . }}:auth-delegate
+subjects:
+- kind: User
+  name: system:serviceaccount:{{ .Release.Namespace }}:{{ include "occm.name" . }}
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:auth-delegator
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:openstack-cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openstack-cloud-controller-manager
+subjects:
+- kind: ServiceAccount
+  name: openstack-cloud-controller-manager
+  namespace: {{ .Release.Namespace | quote }}

charts/openstack-cloud-controller-manager/templates/daemonset.yaml

@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "occm.name" . }}
+  labels:
+    {{- include "occm.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "occm.controllermanager.matchLabels" . | nindent 6 }}
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+         checksum/config: {{ include "cloudConfig" . | sha256sum }}
+      labels:
+        {{- include "occm.controllermanager.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        runAsUser: 1001
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: openstack-cloud-controller-manager
+      containers:
+        - name: openstack-cloud-controller-manager
+          image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
+          args:
+            - /bin/openstack-cloud-controller-manager
+            - --v=1
+            - --cloud-config=$(CLOUD_CONFIG)
+            - --cloud-provider=openstack
+            - --use-service-account-credentials=true
+            {{- if .Values.serviceMonitor.enabled }}
+            - --address=0.0.0.0
+            {{- else }}
+            - --address=127.0.0.1
+            {{- end }}
+            {{- if .Values.controllerExtraArgs }}
+            {{- with .Values.controllerExtraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          {{- if .Values.serviceMonitor.enabled }}
+          ports:
+          - containerPort: 10258
+            hostPort: 10258
+            name: http
+            protocol: TCP
+          {{- end }}
+          volumeMounts:
+            - mountPath: /etc/kubernetes/pki
+              name: k8s-certs
+              readOnly: true
+            - mountPath: /etc/ssl/certs
+              name: ca-certs
+              readOnly: true
+            - mountPath: /etc/config
+              name: cloud-config-volume
+              readOnly: true
+            - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
+              name: flexvolume-dir
+          {{- if .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml .Values.livenessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml .Values.readinessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.resources }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- end }}
+          env:
+            - name: CLOUD_CONFIG
+              value: /etc/config/cloud.conf
+      hostNetwork: true
+      volumes:
+      - hostPath:
+          path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec
+          type: DirectoryOrCreate
+        name: flexvolume-dir
+      - hostPath:
+          path: /etc/kubernetes/pki
+          type: DirectoryOrCreate
+        name: k8s-certs
+      - hostPath:
+          path: /etc/ssl/certs
+          type: DirectoryOrCreate
+        name: ca-certs
+      - name: cloud-config-volume
+        secret:
+          secretName: {{ .Values.secret.name | default "cloud-config" }}

charts/openstack-cloud-controller-manager/templates/secret.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.secret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.secret.name | default "cloud-config" }}
+type: Opaque
+data:
+ cloud.conf: {{ include "cloudConfig" . | b64enc }}
+{{- end }}

charts/openstack-cloud-controller-manager/templates/service-sm.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "occm.labels" . | nindent 4 }}
+  name: {{ include "occm.name" . }}
+spec:
+  ports:
+  - name: http
+    port: 10258
+    protocol: TCP
+  selector:
+    {{- include "occm.labels" . | nindent 4 }}
+{{- end }}

charts/openstack-cloud-controller-manager/templates/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openstack-cloud-controller-manager