From 50467c0f1015abdaff5ab4799791896b5fe7db86 Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Thu, 28 Dec 2017 17:21:56 +0000 Subject: [PATCH] RBAC: Update serviceaccount and k8s rbac for armada This patch set brings the armada chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: Ia264c0eaeeba614d676385fab190c6bbfeecd656 --- charts/armada/templates/deployment-api.yaml | 3 +++ charts/armada/templates/job-ks-endpoints.yaml | 5 ++++- charts/armada/templates/job-ks-service.yaml | 5 ++++- charts/armada/templates/job-ks-user.yaml | 5 ++++- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml index 8ca9700d..2e6a7f2c 100644 --- a/charts/armada/templates/deployment-api.yaml +++ b/charts/armada/templates/deployment-api.yaml @@ -19,6 +19,8 @@ limitations under the License. {{- $dependencies := .Values.dependencies.api }} {{- $mounts_armada_api := .Values.pod.mounts.armada_api.armada_api }} {{- $mounts_armada_api_init := .Values.pod.mounts.armada_api.init_container }} +{{- $serviceAccountName := "armada" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -35,6 +37,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} affinity: {{ tuple $envAll "armada" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} nodeSelector: diff --git a/charts/armada/templates/job-ks-endpoints.yaml b/charts/armada/templates/job-ks-endpoints.yaml index b8a2d03f..6b167c01 100644 --- a/charts/armada/templates/job-ks-endpoints.yaml +++ b/charts/armada/templates/job-ks-endpoints.yaml @@ -17,6 +17,8 @@ limitations under the License. {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} +{{- $serviceAccountName := "armada-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +30,12 @@ spec: labels: {{ tuple $envAll "armada" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "armada" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/charts/armada/templates/job-ks-service.yaml b/charts/armada/templates/job-ks-service.yaml index 408118e3..ee17f0fc 100644 --- a/charts/armada/templates/job-ks-service.yaml +++ b/charts/armada/templates/job-ks-service.yaml @@ -17,6 +17,8 @@ limitations under the License. {{- if .Values.manifests.job_ks_service }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_service }} +{{- $serviceAccountName := "armada-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +30,12 @@ spec: labels: {{ tuple $envAll "armada" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "armada" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/charts/armada/templates/job-ks-user.yaml b/charts/armada/templates/job-ks-user.yaml index 40583e0c..a69b123e 100644 --- a/charts/armada/templates/job-ks-user.yaml +++ b/charts/armada/templates/job-ks-user.yaml @@ -17,6 +17,8 @@ limitations under the License. {{- if .Values.manifests.job_ks_user }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} +{{- $serviceAccountName := "armada-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +30,12 @@ spec: labels: {{ tuple $envAll "armada" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: armada-ks-user image: {{ .Values.images.tags.ks_user }}