From 146cf2f9e67ddcab64cf7b67f8b0f5b4b3c66bec Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Fri, 26 Jan 2018 18:28:22 +0000 Subject: [PATCH] Update Armada Tiller Chart We are seeing error [0] during deployment. This is an attempt to fix the issue. [0] Error Messages StatusCode.UNKNOWN, configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system" Change-Id: I9b962d3b173fc59685c95901581c4ad0f31aa4b9 --- charts/tiller/requirements.yaml | 18 ++++++++++ .../tiller/templates/deployment-tiller.yaml | 17 +++++++++ charts/tiller/templates/rbac.yaml | 35 ------------------- charts/tiller/values.yaml | 7 +++- 4 files changed, 41 insertions(+), 36 deletions(-) create mode 100644 charts/tiller/requirements.yaml delete mode 100644 charts/tiller/templates/rbac.yaml diff --git a/charts/tiller/requirements.yaml b/charts/tiller/requirements.yaml new file mode 100644 index 00000000..c3b7ad31 --- /dev/null +++ b/charts/tiller/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright 2018 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: 0.1.0 diff --git a/charts/tiller/templates/deployment-tiller.yaml b/charts/tiller/templates/deployment-tiller.yaml index bddda924..dc494712 100644 --- a/charts/tiller/templates/deployment-tiller.yaml +++ b/charts/tiller/templates/deployment-tiller.yaml @@ -16,6 +16,22 @@ limitations under the License. {{- if .Values.manifests.deployment_tiller }} {{- $envAll := . }} +{{- $dependencies := .Values.dependencies.tiller_deploy }} +{{- $serviceAccountName := "tiller-deploy" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: run-tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} --- apiVersion: extensions/v1beta1 kind: Deployment @@ -41,6 +57,7 @@ spec: app: helm name: tiller spec: + serviceAccountName: {{ $serviceAccountName }} containers: - env: - name: TILLER_NAMESPACE diff --git a/charts/tiller/templates/rbac.yaml b/charts/tiller/templates/rbac.yaml deleted file mode 100644 index 4409bc3d..00000000 --- a/charts/tiller/templates/rbac.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.rbac }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tiller - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: tiller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: tiller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/charts/tiller/values.yaml b/charts/tiller/values.yaml index 1f8e6928..1a12ad05 100644 --- a/charts/tiller/values.yaml +++ b/charts/tiller/values.yaml @@ -14,6 +14,9 @@ # namespace: "kube-system" +dependencies: + tiller_deploy: + images: tags: tiller: gcr.io/kubernetes-helm/tiller:v2.7.2 @@ -21,6 +24,9 @@ images: pull_policy: "IfNotPresent" deployment: + # NOTE: CUrrent replica is hard-coded to 1. This is a placeholder variable + # for future usage. Updates will be made to the chart when we know that + # tiller is stable with multiple instances. replicas: 1 # The amount of revision tiller is willing to support. 0 means that there is # no limit. @@ -29,4 +35,3 @@ deployment: manifests: deployment_tiller: true service_tiller: true - rbac: true