From f68831334185341c0550ab3afec190cd6ba2bf36 Mon Sep 17 00:00:00 2001 From: Sean Eagan Date: Wed, 5 Feb 2020 12:18:05 -0600 Subject: [PATCH] Fix tiller kubernetes client caching The cache dir could no longer be written to when readOnlyRootFilesystem went into effect [0]. This adds a configurable volume/mount for the cache dir. [0]: https://review.opendev.org/#/c/703881/ Change-Id: I63a7c8575041aa3c6fd523213f8dffb0542fb0e5 --- charts/tiller/templates/deployment-tiller.yaml | 6 ++++++ charts/tiller/values.yaml | 12 +++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/charts/tiller/templates/deployment-tiller.yaml b/charts/tiller/templates/deployment-tiller.yaml index d7a0ddce..90df6174 100644 --- a/charts/tiller/templates/deployment-tiller.yaml +++ b/charts/tiller/templates/deployment-tiller.yaml @@ -31,6 +31,8 @@ httpGet: {{- if .Values.manifests.deployment_tiller }} {{- $envAll := . }} {{- $serviceAccountName := "tiller-deploy" }} +{{- $mounts_tiller := .Values.pod.mounts.tiller.tiller }} + {{ tuple $envAll "tiller_deploy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1 @@ -89,6 +91,8 @@ spec: value: {{ .Values.Name }} - name: TILLER_HISTORY_MAX value: {{ .Values.deployment.tiller_history | quote }} + volumeMounts: +{{ toYaml $mounts_tiller.volumeMounts | indent 12 }} command: - /tiller {{- if .Values.conf.tiller.storage }} @@ -120,5 +124,7 @@ spec: protocol: TCP {{ dict "envAll" $envAll "component" "tiller" "container" "tiller" "type" "readiness" "probeTemplate" (include "tillerReadinessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }} {{ dict "envAll" $envAll "component" "tiller" "container" "tiller" "type" "liveness" "probeTemplate" (include "tillerLivenessProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }} + volumes: +{{ toYaml $mounts_tiller.volumes | indent 8 }} status: {} {{- end }} diff --git a/charts/tiller/values.yaml b/charts/tiller/values.yaml index 8b1ed273..cf7c3409 100644 --- a/charts/tiller/values.yaml +++ b/charts/tiller/values.yaml @@ -89,7 +89,17 @@ pod: requests: memory: "128Mi" cpu: "100m" - + mounts: + tiller: + tiller: + volumes: + - name: kubernetes-client-cache + emptyDir: {} + volumeMounts: + - name: kubernetes-client-cache + # Should be the `$HOME/.kube` of the `runAsUser` above + # as this is where tiller's kubernetes client roots its cache dir. + mountPath: /tmp/.kube network_policy: tiller: ingress: