Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[monasca] add RBAC rules for monasca-agent and the cleanup job #403

Merged
merged 2 commits into from
Feb 27, 2018
Merged

[monasca] add RBAC rules for monasca-agent and the cleanup job #403

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1904215
[monasca] add RBAC rules for monasca-agent and the cleanup job
timothyb89 Feb 27, 2018
6b3d15b
Bump chart version
timothyb89 Feb 27, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion monasca/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
description: A Helm chart for Monasca running in Kubernetes
name: monasca
version: 0.5.0
version: 0.6.0
sources:
- https://wiki.openstack.org/wiki/Monasca
maintainers:
Expand Down
30 changes: 30 additions & 0 deletions monasca/templates/agent-clusterrole.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }}
kind: ClusterRole
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
apiVersion: rbac.authorization.k8s.io/v1alpha1
{{- end }}
metadata:
name: "{{ template "agent.fullname" . }}"
rules:
- apiGroups: ["", "extensions", "storage.k8s.io"]
verbs: ["get", "list"]
resources:
- namespaces
- pods
- replicasets
- deployments
- replicationcontrollers
- nodes
- services
- componentstatuses
- storageclasses
- apiGroups: ["", "batch", "extensions", "storage.k8s.io"]
verbs: ["get", "list", "delete"]
resources:
- jobs
- pods
{{- end }}
20 changes: 20 additions & 0 deletions monasca/templates/agent-clusterrolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }}
kind: ClusterRoleBinding
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
apiVersion: rbac.authorization.k8s.io/v1alpha1
{{- end }}
metadata:
name: "{{ template "agent.fullname" . }}"
subjects:
- kind: ServiceAccount
name: "{{ template "agent.fullname" . }}"
namespace: "{{ .Release.Namespace }}"
roleRef:
kind: ClusterRole
name: "{{ template "agent.fullname" . }}"
apiGroup: rbac.authorization.k8s.io
{{- end }}
5 changes: 5 additions & 0 deletions monasca/templates/agent-daemonset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,4 +149,9 @@ spec:
value: {{ .Values.agent.forwarder.backlog_send_rate | quote }}
- name: HOSTNAME_FROM_KUBERNETES
value: "true"
{{- if .Values.agent.serviceAccount }}
serviceAccountName: {{ .Values.agent.serviceAccount | quote }}
{{- else if .Values.rbac.create }}
serviceAccountName: "{{ template "agent.fullname" . }}"
{{- end }}
{{- end}}
5 changes: 5 additions & 0 deletions monasca/templates/agent-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,4 +147,9 @@ spec:
configMap:
name: {{ template "agent.fullname" . }}
{{- end}}
{{- if .Values.agent.serviceAccount }}
serviceAccountName: {{ .Values.agent.serviceAccount | quote }}
{{- else if .Values.rbac.create }}
serviceAccountName: "{{ template "agent.fullname" . }}"
{{- end }}
{{- end}}
12 changes: 12 additions & 0 deletions monasca/templates/agent-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ template "agent.fullname" . }}"
labels:
app: {{ template "fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: "{{ .Values.agent.name }}"
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
5 changes: 5 additions & 0 deletions monasca/templates/cleanup-hook.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,8 @@ spec:
value: "{{ .Values.cleanup.wait.delay }}"
- name: "WAIT_TIMEOUT"
value: "{{ .Values.cleanup.wait.timeout }}"
{{- if .Values.cleanup.serviceAccount }}
serviceAccountName: {{ .Values.cleanup.serviceAccount | quote }}
{{- else if .Values.rbac.create }}
serviceAccountName: "{{ template "cleanup.fullname" . }}"
{{- end }}
25 changes: 25 additions & 0 deletions monasca/templates/cleanup-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
apiVersion: rbac.authorization.k8s.io/v1alpha1
{{- end }}
kind: Role
metadata:
name: {{ template "cleanup.fullname" . }}
labels:
app: {{ template "fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: "{{ .Values.cleanup.name }}"
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "delete", "patch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "delete"]
{{- end }}
26 changes: 26 additions & 0 deletions monasca/templates/cleanup-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
apiVersion: rbac.authorization.k8s.io/v1alpha1
{{- end }}
kind: RoleBinding
metadata:
name: {{ template "cleanup.fullname" . }}
labels:
app: {{ template "fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: "{{ .Values.cleanup.name }}"
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
subjects:
- kind: ServiceAccount
name: {{ template "cleanup.fullname" . }}
namespace: "{{ .Release.Namespace }}"
roleRef:
kind: Role
name: {{ template "cleanup.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
12 changes: 12 additions & 0 deletions monasca/templates/cleanup-serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "cleanup.fullname" . }}
labels:
app: {{ template "fullname" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
component: "{{ .Values.cleanup.name }}"
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
37 changes: 0 additions & 37 deletions monasca/templates/role.yaml
View file
Open in desktop

This file was deleted.

18 changes: 14 additions & 4 deletions monasca/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,12 @@ mysql:

agent:
name: agent

# an optional preexisting ServiceAccount to use
# to create a service account automatically for the agent, deploy with:
# rbac.create=true
serviceAccount: ''

daemonset_enabled: true
deployment_enabled: true
daemonset_toleration:
Expand Down Expand Up @@ -667,11 +673,15 @@ client:
project_domain_name: Default

rbac:
enabled: false
apiVersion: rbac.authorization.k8s.io/v1beta1
create: false

cleanup:
name: cleanup

# an optional preexisting ServiceAccount to use
# to create a service account for the job automatically, deploy with:
# rbac.create=true
serviceAccount: ''
image:
repository: monasca/job-cleanup
tag: 1.2.1
Expand Down Expand Up @@ -1600,8 +1610,8 @@ smoke_tests:

alarm_definition_controller:
name: adc
controller_enabled: true
resource_enabled: true
controller_enabled: false
resource_enabled: false
image:
repository: monasca/alarm-definition-controller
tag: 1.1.0
Expand Down