RBAC: Update serviceaccount and k8s rbac for maas
This patch set brings the maas chart to be inline with OSH* RBAC approach used in [0] and [1] [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: I3138a0f6280ab7d8ca9c8088ae19ec0c2175292c
This commit is contained in:
parent
c9e646c3dc
commit
b664579d57
|
@ -19,6 +19,8 @@ limitations under the License.
|
|||
{{- end -}}
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.rack_controller }}
|
||||
{{- $serviceAccountName := "maas-rack" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }}
|
||||
{{- $mounts_maas_rack_init := .Values.pod.mounts.maas_rack.init_container }}
|
||||
---
|
||||
|
@ -36,6 +38,7 @@ spec:
|
|||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "maas" "rack" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
|
|
|
@ -16,6 +16,8 @@ limitations under the License.
|
|||
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.bootstrap_admin_user }}
|
||||
{{- $serviceAccountName := "maas-bootstrap-admin-user" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -27,6 +29,7 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "maas" "bootstrap-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
|
||||
|
|
|
@ -16,6 +16,8 @@ limitations under the License.
|
|||
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.db_init }}
|
||||
{{- $serviceAccountName := "maas-db-init" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -27,6 +29,7 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "maas" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
|
||||
|
|
|
@ -16,6 +16,8 @@ limitations under the License.
|
|||
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.db_sync }}
|
||||
{{- $serviceAccountName := "maas-db-sync" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -27,6 +29,7 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "maas" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
|
||||
|
|
|
@ -17,6 +17,35 @@ limitations under the License.
|
|||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.export_api_key }}
|
||||
{{- $initMounts := .Values.pod.mounts.export_api_key.export_api_key }}
|
||||
{{- $serviceAccountName := "maas-export-api-key" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ $serviceAccountName }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- create
|
||||
- update
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ $serviceAccountName }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ $serviceAccountName }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ $serviceAccountName }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -28,6 +57,7 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "maas" "export-api-key" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
|
||||
|
|
|
@ -16,6 +16,8 @@ limitations under the License.
|
|||
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.import_resources }}
|
||||
{{- $serviceAccountName := "maas-import-resources" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
|
@ -27,6 +29,7 @@ spec:
|
|||
labels:
|
||||
{{ tuple $envAll "maas" "import-resources" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}
|
||||
|
|
|
@ -15,6 +15,8 @@
|
|||
{{- if .Values.manifests.region_statefulset }}
|
||||
{{- $envAll := . }}
|
||||
{{- $dependencies := .Values.dependencies.region_controller }}
|
||||
{{- $serviceAccountName := "maas-region" }}
|
||||
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
||||
{{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
|
||||
{{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
|
||||
---
|
||||
|
@ -31,6 +33,7 @@ spec:
|
|||
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||
annotations:
|
||||
spec:
|
||||
serviceAccountName: {{ $serviceAccountName }}
|
||||
affinity:
|
||||
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
|
||||
nodeSelector:
|
||||
|
|
Loading…
Reference in New Issue