From 5f82956cfaa943ff944fe275ef67802235d76428 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 12 Apr 2018 00:19:37 -0500 Subject: [PATCH] Chart: Update armada chart This PS cleans and updates the armada chart. Change-Id: Ibe4247fa2caabfcefd294f23fc8ae016094c0dcc --- charts/armada/templates/configmap-bin.yaml | 1 + charts/armada/templates/configmap-etc.yaml | 12 +- charts/armada/templates/deployment-api.yaml | 5 +- charts/armada/templates/ingress-api.yaml | 45 +------ charts/armada/templates/job-ks-endpoints.yaml | 58 +-------- charts/armada/templates/job-ks-service.yaml | 50 +------- charts/armada/templates/job-ks-user.yaml | 51 +------- .../armada/templates/secret-keystone-env.yaml | 2 +- charts/armada/templates/service-ingress.yaml | 18 +-- charts/armada/templates/service.yaml | 4 +- charts/armada/values.yaml | 116 ++++++++++-------- 11 files changed, 87 insertions(+), 275 deletions(-) diff --git a/charts/armada/templates/configmap-bin.yaml b/charts/armada/templates/configmap-bin.yaml index 95138ca1..7487b0d1 100644 --- a/charts/armada/templates/configmap-bin.yaml +++ b/charts/armada/templates/configmap-bin.yaml @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} +--- apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/armada/templates/configmap-etc.yaml b/charts/armada/templates/configmap-etc.yaml index 9589dc85..2736a763 100644 --- a/charts/armada/templates/configmap-etc.yaml +++ b/charts/armada/templates/configmap-etc.yaml @@ -25,9 +25,7 @@ limitations under the License. {{- tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup"| set .Values.conf.armada.keystone_authtoken "auth_url" | quote | trunc 0 -}} {{- end -}} - -{{- $userIdentity := .Values.endpoints.identity.auth.user -}} - +{{- $userIdentity := .Values.endpoints.identity.auth.armada -}} {{- if empty .Values.conf.armada.keystone_authtoken.project_name -}} {{- set .Values.conf.armada.keystone_authtoken "project_name" $userIdentity.project_name | quote | trunc 0 -}} {{- end -}} @@ -50,10 +48,10 @@ kind: ConfigMap metadata: name: armada-etc data: - armada.conf: |+ + armada.conf: | {{ include "helm-toolkit.utils.to_oslo_conf" .Values.conf.armada | indent 4 }} - api-paste.ini: |+ + api-paste.ini: | {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | indent 4 }} - policy.yaml: |+ -{{ toYaml .Values.conf.policy | indent 4 }} + policy.yaml: | +{{ toYaml .Values.conf.policy | indent 4 }} {{- end }} diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml index 084fbf7e..42367eb4 100644 --- a/charts/armada/templates/deployment-api.yaml +++ b/charts/armada/templates/deployment-api.yaml @@ -16,7 +16,7 @@ limitations under the License. {{- if .Values.manifests.deployment_api }} {{- $envAll := . }} -{{- $dependencies := .Values.dependencies.api }} +{{- $dependencies := .Values.dependencies.static.api }} {{- $mounts_armada_api := .Values.pod.mounts.armada_api.armada_api }} {{- $mounts_armada_api_init := .Values.pod.mounts.armada_api.init_container }} {{- $serviceAccountName := "armada-api" }} @@ -104,7 +104,8 @@ spec: securityContext: runAsUser: {{ .Values.pod.user.armada.uid }} ports: - - containerPort: {{ .Values.conf.armada.armada_api.bind_port }} + - name: armada-api + containerPort: {{ tuple "armada" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} livenessProbe: httpGet: path: /api/v1.0/health diff --git a/charts/armada/templates/ingress-api.yaml b/charts/armada/templates/ingress-api.yaml index eafa0ca8..0e9d09d2 100644 --- a/charts/armada/templates/ingress-api.yaml +++ b/charts/armada/templates/ingress-api.yaml @@ -14,46 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.ingress_api }} -{{- $envAll := . }} -{{- if .Values.network.api.ingress.public }} -{{- $backendServiceType := "armada" }} -{{- $backendPort := "http" }} -{{- $ingressName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -{{- $hostName := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -{{- $hostNameNamespaced := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_namespaced_endpoint_lookup" }} -{{- $hostNameFull := tuple $backendServiceType "public" $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: {{ $ingressName }} - annotations: - kubernetes.io/ingress.class: "nginx" - ingress.kubernetes.io/rewrite-target: / -spec: - rules: -{{ if ne $hostNameNamespaced $hostNameFull }} -{{- range $key1, $vHost := tuple $hostName $hostNameNamespaced $hostNameFull }} - - host: {{ $vHost }} - http: - paths: - - path: / - backend: - serviceName: {{ $backendName }} - servicePort: {{ $backendPort }} -{{- end }} -{{- else }} -{{- range $key1, $vHost := tuple $hostName $hostNameNamespaced }} - - host: {{ $vHost }} - http: - paths: - - path: / - backend: - serviceName: {{ $backendName }} - servicePort: {{ $backendPort }} -{{- end }} -{{- end }} -{{- end }} +{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +{{- $ingressOpts := dict "envAll" . "backendServiceType" "armada" "backendPort" "armada-api" -}} +{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{- end }} diff --git a/charts/armada/templates/job-ks-endpoints.yaml b/charts/armada/templates/job-ks-endpoints.yaml index 6b167c01..5cf7ad30 100644 --- a/charts/armada/templates/job-ks-endpoints.yaml +++ b/charts/armada/templates/job-ks-endpoints.yaml @@ -13,60 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */}} ---- + {{- if .Values.manifests.job_ks_endpoints }} -{{- $envAll := . }} -{{- $dependencies := .Values.dependencies.ks_endpoints }} -{{- $serviceAccountName := "armada-ks-endpoints" }} -{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: armada-ks-endpoints -spec: - template: - metadata: - labels: -{{ tuple $envAll "armada" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - spec: - serviceAccountName: {{ $serviceAccountName }} - restartPolicy: OnFailure - nodeSelector: - {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} - initContainers: -{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: -{{- range $key1, $osServiceType := tuple "armada" }} -{{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} - - name: {{ $osServiceType }}-ks-endpoints-{{ $osServiceEndPoint }} - image: {{ $envAll.Values.images.tags.ks_endpoints }} - imagePullPolicy: {{ $envAll.Values.images.pull_policy }} -{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_endpoints | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - command: - - /tmp/ks-endpoints.sh - volumeMounts: - - name: ks-endpoints-sh - mountPath: /tmp/ks-endpoints.sh - subPath: ks-endpoints.sh - readOnly: true - env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} -{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- $ksServiceJob := dict "envAll" . "serviceName" "armada" "serviceTypes" ( tuple "armada" ) -}} +{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_endpoints" }} {{- end }} - - name: OS_SVC_ENDPOINT - value: {{ $osServiceEndPoint }} - - name: OS_SERVICE_NAME - value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} - - name: OS_SERVICE_TYPE - value: {{ $osServiceType }} - - name: OS_SERVICE_ENDPOINT - value: {{ tuple $osServiceType $osServiceEndPoint "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} -{{- end }} -{{- end }} - volumes: - - name: ks-endpoints-sh - configMap: - name: armada-bin - defaultMode: 0555 -{{- end -}} diff --git a/charts/armada/templates/job-ks-service.yaml b/charts/armada/templates/job-ks-service.yaml index ee17f0fc..ad55125b 100644 --- a/charts/armada/templates/job-ks-service.yaml +++ b/charts/armada/templates/job-ks-service.yaml @@ -15,52 +15,6 @@ limitations under the License. */}} {{- if .Values.manifests.job_ks_service }} -{{- $envAll := . }} -{{- $dependencies := .Values.dependencies.ks_service }} -{{- $serviceAccountName := "armada-ks-service" }} -{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: armada-ks-service -spec: - template: - metadata: - labels: -{{ tuple $envAll "armada" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - spec: - serviceAccountName: {{ $serviceAccountName }} - restartPolicy: OnFailure - nodeSelector: - {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} - initContainers: -{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: -{{- range $key1, $osServiceType := tuple "armada" }} - - name: {{ $osServiceType }}-ks-service-registration - image: {{ $envAll.Values.images.tags.ks_service }} - imagePullPolicy: {{ $envAll.Values.images.pull_policy }} -{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_service | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - command: - - /tmp/ks-service.sh - volumeMounts: - - name: ks-service-sh - mountPath: /tmp/ks-service.sh - subPath: ks-service.sh - readOnly: true - env: -{{- with $env := dict "ksUserSecret" $envAll.Values.secrets.identity.admin }} -{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} -{{- end }} - - name: OS_SERVICE_NAME - value: {{ tuple $osServiceType $envAll | include "helm-toolkit.endpoints.keystone_endpoint_name_lookup" }} - - name: OS_SERVICE_TYPE - value: {{ $osServiceType }} -{{- end }} - volumes: - - name: ks-service-sh - configMap: - name: armada-bin - defaultMode: 0555 +{{- $ksServiceJob := dict "envAll" . "serviceName" "armada" "serviceTypes" ( tuple "armada" ) -}} +{{ $ksServiceJob | include "helm-toolkit.manifests.job_ks_service" }} {{- end }} diff --git a/charts/armada/templates/job-ks-user.yaml b/charts/armada/templates/job-ks-user.yaml index 9521d9cb..b0ed59ce 100644 --- a/charts/armada/templates/job-ks-user.yaml +++ b/charts/armada/templates/job-ks-user.yaml @@ -15,53 +15,6 @@ limitations under the License. */}} {{- if .Values.manifests.job_ks_user }} -{{- $envAll := . }} -{{- $dependencies := .Values.dependencies.ks_user }} -{{- $serviceAccountName := "armada-ks-user" }} -{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: armada-ks-user -spec: - template: - metadata: - labels: -{{ tuple $envAll "armada" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} - spec: - serviceAccountName: {{ $serviceAccountName }} - restartPolicy: OnFailure - nodeSelector: - {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} - initContainers: -{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} - containers: - - name: armada-ks-user - image: {{ .Values.images.tags.ks_user }} - imagePullPolicy: {{ .Values.images.pull_policy }} -{{ tuple $envAll $envAll.Values.pod.resources.jobs.ks_user | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} - command: - - /tmp/ks-user.sh - volumeMounts: - - name: ks-user-sh - mountPath: /tmp/ks-user.sh - subPath: ks-user.sh - readOnly: true - env: -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }} -{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} -{{- end }} - - name: SERVICE_OS_SERVICE_NAME - value: "armada" -{{- with $env := dict "ksUserSecret" .Values.secrets.identity.user }} -{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }} -{{- end }} - - name: SERVICE_OS_ROLE - value: {{ .Values.endpoints.identity.auth.user.role | quote }} - volumes: - - name: ks-user-sh - configMap: - name: armada-bin - defaultMode: 0555 +{{- $ksUserJob := dict "envAll" . "serviceName" "armada" -}} +{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{- end }} diff --git a/charts/armada/templates/secret-keystone-env.yaml b/charts/armada/templates/secret-keystone-env.yaml index 2f159e29..0e4253d4 100644 --- a/charts/armada/templates/secret-keystone-env.yaml +++ b/charts/armada/templates/secret-keystone-env.yaml @@ -16,7 +16,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" "user" }} +{{- range $key1, $userClass := tuple "admin" "armada" }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/charts/armada/templates/service-ingress.yaml b/charts/armada/templates/service-ingress.yaml index 2e50e4f7..54cc97ac 100644 --- a/charts/armada/templates/service-ingress.yaml +++ b/charts/armada/templates/service-ingress.yaml @@ -14,19 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.service_ingress_api }} -{{- $envAll := . }} -{{- if .Values.network.api.ingress.public }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ tuple "armada" "public" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} -spec: - ports: - - name: http - port: 80 - selector: - app: ingress-api -{{- end }} +{{- if and .Values.manifests.service_ingress .Values.network.api.ingress.public }} +{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "armada" -}} +{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} {{- end }} diff --git a/charts/armada/templates/service.yaml b/charts/armada/templates/service.yaml index 3d44c568..12efe427 100644 --- a/charts/armada/templates/service.yaml +++ b/charts/armada/templates/service.yaml @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.service_api }} +{{- if .Values.manifests.service }} {{- $envAll := . }} --- apiVersion: v1 @@ -24,7 +24,7 @@ metadata: spec: ports: - name: armada-api - port: {{ .Values.conf.armada.armada_api.bind_port }} + port: {{ tuple "armada" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ if .Values.network.api.node_port.enabled }} nodePort: {{ .Values.network.api.node_port.port }} {{ end }} diff --git a/charts/armada/values.yaml b/charts/armada/values.yaml index 30f7c8db..55fd2a62 100644 --- a/charts/armada/values.yaml +++ b/charts/armada/values.yaml @@ -17,49 +17,57 @@ release_group: null labels: + job: + node_selector_key: ucp-control-plane + node_selector_value: enabled node_selector_key: ucp-control-plane node_selector_value: enabled images: + pull_policy: IfNotPresent tags: - api: quay.io/attcomdev/armada:latest - dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.0 - ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 - ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 - ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3 - - pull_policy: "IfNotPresent" + api: 'quay.io/attcomdev/armada:latest' + dep_check: 'quay.io/stackanetes/kubernetes-entrypoint:v0.3.0' + ks_endpoints: 'docker.io/openstackhelm/heat:newton' + ks_service: 'docker.io/openstackhelm/heat:newton' + ks_user: 'docker.io/openstackhelm/heat:newton' network: api: ingress: - public: false + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + classes: + cluster: nginx-cluster + namespace: nginx + public: true node_port: - enabled: true + enabled: false port: 31903 dependencies: - ks_user: - services: - - service: identity - endpoint: internal - ks_service: - services: - - service: identity - endpoint: internal - ks_endpoints: - jobs: - - armada-ks-service - services: - - service: identity - endpoint: internal - api: - jobs: - - armada-ks-service - - armada-ks-user - services: - - service: identity - endpoint: internal + static: + api: + jobs: + - armada-ks-service + - armada-ks-user + services: + - endpoint: internal + service: identity + ks_endpoints: + jobs: + - armada-ks-service + services: + - endpoint: internal + service: identity + ks_service: + services: + - endpoint: internal + service: identity + ks_user: + services: + - endpoint: internal + service: identity # typically overriden by environmental # values, but should include all endpoints @@ -76,13 +84,13 @@ endpoints: region_name: RegionOne user_domain_name: default username: admin - user: - password: armada - project_domain_name: ucp + armada: + password: password + project_domain_name: default project_name: service region_name: RegionOne role: admin - user_domain_name: ucp + user_domain_name: default username: armada hosts: default: keystone-api @@ -116,35 +124,35 @@ endpoints: secrets: identity: admin: armada-keystone-admin - user: armada-keystone-user + armada: armada-keystone-user conf: armada: + armada_api: + bind_port: 8000 keystone_authtoken: auth_type: password auth_version: 3 delay_auth_decision: true - armada_api: - bind_port: 8000 oslo_policy: - policy_file: "policy.yaml" + policy_file: policy.yaml paste: - app:armada-api: - paste.app_factory: armada.api.server:paste_start_armada - pipeline:main: + 'app:armada-api': + paste.app_factory: 'armada.api.server:paste_start_armada' + 'filter:authtoken': + paste.filter_factory: 'keystonemiddleware.auth_token:filter_factory' + 'pipeline:main': pipeline: authtoken armada-api - filter:authtoken: - paste.filter_factory: keystonemiddleware.auth_token:filter_factory policy: - admin_required: "role:admin" - service_or_admin: "rule:admin_required or rule:service_role" - service_role: "role:service" - armada:create_endpoints: "rule:admin_required" - armada:validate_manifest: "rule:admin_required" - armada:test_release: "rule:admin_required" - armada:test_manifest: "rule:admin_required" - tiller:get_status: "rule:admin_required" - tiller:get_released: "rule:admin_required" + admin_required: 'role:admin' + 'armada:create_endpoints': 'rule:admin_required' + 'armada:test_manifest': 'rule:admin_required' + 'armada:test_release': 'rule:admin_required' + 'armada:validate_manifest': 'rule:admin_required' + service_or_admin: 'rule:admin_required or rule:service_role' + service_role: 'role:service' + 'tiller:get_released': 'rule:admin_required' + 'tiller:get_status': 'rule:admin_required' pod: env: @@ -241,6 +249,6 @@ manifests: job_ks_service: true job_ks_user: true secret_keystone: true - service_api: true - service_ingress_api: true + service: true + service_ingress: true test_armada_api: true