From 253c6f6bb45fe1ffd69984b69cee80e5065097e2 Mon Sep 17 00:00:00 2001 From: Anthony Lin Date: Thu, 28 Dec 2017 17:11:37 +0000 Subject: [PATCH] RBAC: Update serviceaccount and k8s rbac for drydock This patch set brings the drydock chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: Ia1e5510605e38068e30e966cdd7d030154f5e6f4 --- charts/drydock/templates/deployment.yaml | 5 ++- .../templates/job-drydock-db-init.yaml | 39 ++++++++++++------- .../templates/job-drydock-db-sync.yaml | 39 ++++++++----------- .../drydock/templates/job-ks-endpoints.yaml | 6 ++- charts/drydock/templates/job-ks-service.yaml | 5 ++- charts/drydock/templates/job-ks-user.yaml | 5 ++- 6 files changed, 58 insertions(+), 41 deletions(-) diff --git a/charts/drydock/templates/deployment.yaml b/charts/drydock/templates/deployment.yaml index b30159a6..863f970f 100644 --- a/charts/drydock/templates/deployment.yaml +++ b/charts/drydock/templates/deployment.yaml @@ -16,6 +16,8 @@ {{- if .Values.manifests.deployment_drydock }} {{- $envAll := . -}} {{- $dependencies := .Values.dependencies.api }} +{{- $serviceAccountName := "drydock-api" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -32,11 +34,12 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: Always affinity: {{ tuple $envAll "drydock" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: drydock-api env: diff --git a/charts/drydock/templates/job-drydock-db-init.yaml b/charts/drydock/templates/job-drydock-db-init.yaml index c6fdfb53..ab5f5524 100644 --- a/charts/drydock/templates/job-drydock-db-init.yaml +++ b/charts/drydock/templates/job-drydock-db-init.yaml @@ -14,39 +14,52 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.job_drydock_db_sync }} +{{- if .Values.manifests.job_drydock_db_init }} {{- $envAll := . }} -{{- $dependencies := .Values.dependencies.db_sync }} +{{- $dependencies := .Values.dependencies.db_init }} +{{- $serviceAccountName := "drydock-db-init" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: drydock-db-sync + name: drydock-db-init spec: template: metadata: labels: -{{ tuple $envAll "drydock" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{ tuple $envAll "drydock" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - - name: drydock-db-sync - image: {{ .Values.images.tags.drydock_db_sync | quote }} + - name: drydock-db-init + image: {{ .Values.images.tags.drydock_db_init | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} -{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: - - name: DRYDOCK_DB_URL - value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} + - name: DB_NAME + value: {{ .Values.database.postgresql.db_name | quote }} + - name: DB_USER + value: {{ .Values.endpoints.postgresql.auth.user.username | quote }} + - name: DB_PASS + value: {{ .Values.endpoints.postgresql.auth.user.password | quote}} + - name: DB_FQDN + value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}} + - name: DB_PORT + value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} + - name: ROOT_DB_USER + value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }} command: - - /tmp/db-sync.sh + - /tmp/db-init.sh volumeMounts: - name: drydock-bin - mountPath: /tmp/db-sync.sh - subPath: db-sync.sh + mountPath: /tmp/db-init.sh + subPath: db-init.sh readOnly: true volumes: - name: drydock-bin diff --git a/charts/drydock/templates/job-drydock-db-sync.yaml b/charts/drydock/templates/job-drydock-db-sync.yaml index dc4dfd77..2e9d32d9 100644 --- a/charts/drydock/templates/job-drydock-db-sync.yaml +++ b/charts/drydock/templates/job-drydock-db-sync.yaml @@ -14,49 +14,42 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.job_drydock_db_init }} +{{- if .Values.manifests.job_drydock_db_sync }} {{- $envAll := . }} -{{- $dependencies := .Values.dependencies.db_init }} +{{- $dependencies := .Values.dependencies.db_sync }} +{{- $serviceAccountName := "drydock-db-sync" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job metadata: - name: drydock-db-init + name: drydock-db-sync spec: template: metadata: labels: -{{ tuple $envAll "drydock" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} +{{ tuple $envAll "drydock" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - - name: drydock-db-init - image: {{ .Values.images.tags.drydock_db_init | quote }} + - name: drydock-db-sync + image: {{ .Values.images.tags.drydock_db_sync | quote }} imagePullPolicy: {{ .Values.images.pull_policy | quote }} -{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} +{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} env: - - name: DB_NAME - value: {{ .Values.database.postgresql.db_name | quote }} - - name: DB_USER - value: {{ .Values.endpoints.postgresql.auth.user.username | quote }} - - name: DB_PASS - value: {{ .Values.endpoints.postgresql.auth.user.password | quote}} - - name: DB_FQDN - value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}} - - name: DB_PORT - value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} - - name: ROOT_DB_USER - value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }} + - name: DRYDOCK_DB_URL + value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }} command: - - /tmp/db-init.sh + - /tmp/db-sync.sh volumeMounts: - name: drydock-bin - mountPath: /tmp/db-init.sh - subPath: db-init.sh + mountPath: /tmp/db-sync.sh + subPath: db-sync.sh readOnly: true volumes: - name: drydock-bin diff --git a/charts/drydock/templates/job-ks-endpoints.yaml b/charts/drydock/templates/job-ks-endpoints.yaml index cbf2698e..309874c8 100755 --- a/charts/drydock/templates/job-ks-endpoints.yaml +++ b/charts/drydock/templates/job-ks-endpoints.yaml @@ -16,7 +16,8 @@ {{- if .Values.manifests.job_ks_endpoints }} {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_endpoints }} - +{{- $serviceAccountName := "drydock-ks-endpoints" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +29,12 @@ spec: labels: {{ tuple $envAll "drydock" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "physicalprovisioner" }} {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }} diff --git a/charts/drydock/templates/job-ks-service.yaml b/charts/drydock/templates/job-ks-service.yaml index 12399cc8..b7158ae9 100755 --- a/charts/drydock/templates/job-ks-service.yaml +++ b/charts/drydock/templates/job-ks-service.yaml @@ -18,6 +18,8 @@ {{- $envAll := . }} {{- $ksAdminSecret := .Values.secrets.identity.admin }} {{- $dependencies := .Values.dependencies.ks_service }} +{{- $serviceAccountName := "drydock-ks-service" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -29,11 +31,12 @@ spec: labels: {{ tuple $envAll "drydock" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: {{- range $key1, $osServiceType := tuple "physicalprovisioner" }} - name: {{ $osServiceType }}-ks-service-registration diff --git a/charts/drydock/templates/job-ks-user.yaml b/charts/drydock/templates/job-ks-user.yaml index e36ad32d..7be05d90 100755 --- a/charts/drydock/templates/job-ks-user.yaml +++ b/charts/drydock/templates/job-ks-user.yaml @@ -17,6 +17,8 @@ {{- $envAll := . }} {{- $dependencies := .Values.dependencies.ks_user }} +{{- $serviceAccountName := "drydock-ks-user" }} +{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: batch/v1 kind: Job @@ -28,11 +30,12 @@ spec: labels: {{ tuple $envAll "drydock" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} spec: + serviceAccountName: {{ $serviceAccountName }} restartPolicy: OnFailure nodeSelector: {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }} initContainers: -{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} containers: - name: drydock-ks-user image: {{ .Values.images.tags.ks_user }}