RBAC: Update serviceaccount and k8s rbac for drydock

This patch set brings the drydock chart to be inline with OSH* RBAC approach used in [0] and [1]. [0] https://review.openstack.org/#/c/526464/52 [1] https://review.openstack.org/#/c/529378/ Change-Id: Ia1e5510605e38068e30e966cdd7d030154f5e6f4
2017-12-28 17:11:37 +00:00 · 2017-12-28 17:11:37 +00:00 · 253c6f6bb4
commit 253c6f6bb4
parent 1c78477e95
6 changed files with 58 additions and 41 deletions
--- a/charts/drydock/templates/deployment.yaml
+++ b/charts/drydock/templates/deployment.yaml
@ -16,6 +16,8 @@
 {{- if .Values.manifests.deployment_drydock }}
 {{- $envAll := . -}}
 {{- $dependencies := .Values.dependencies.api }}
+{{- $serviceAccountName := "drydock-api" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: Deployment
@ -32,11 +34,12 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: Always
      affinity:
 {{ tuple $envAll "drydock" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      initContainers:
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: drydock-api
          env:
--- a/charts/drydock/templates/job-drydock-db-init.yaml
+++ b/charts/drydock/templates/job-drydock-db-init.yaml
@ -14,39 +14,52 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-{{- if .Values.manifests.job_drydock_db_sync }}
+{{- if .Values.manifests.job_drydock_db_init }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.db_sync }}
+{{- $dependencies := .Values.dependencies.db_init }}
+{{- $serviceAccountName := "drydock-db-init" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: drydock-db-sync
+  name: drydock-db-init
 spec:
  template:
    metadata:
      labels:
-{{ tuple $envAll "drydock" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{ tuple $envAll "drydock" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
-        - name: drydock-db-sync
-          image: {{ .Values.images.tags.drydock_db_sync | quote }}
+        - name: drydock-db-init
+          image: {{ .Values.images.tags.drydock_db_init | quote }}
          imagePullPolicy: {{ .Values.images.pull_policy | quote }}
-{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          env:
-            - name: DRYDOCK_DB_URL
-              value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
+            - name: DB_NAME
+              value: {{ .Values.database.postgresql.db_name | quote }}
+            - name: DB_USER
+              value: {{ .Values.endpoints.postgresql.auth.user.username | quote }}
+            - name: DB_PASS
+              value: {{ .Values.endpoints.postgresql.auth.user.password | quote}}
+            - name: DB_FQDN
+              value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}}
+            - name: DB_PORT
+              value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
+            - name: ROOT_DB_USER
+              value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }}
          command:
-            - /tmp/db-sync.sh
+            - /tmp/db-init.sh
          volumeMounts:
            - name: drydock-bin
-              mountPath: /tmp/db-sync.sh
-              subPath: db-sync.sh
+              mountPath: /tmp/db-init.sh
+              subPath: db-init.sh
              readOnly: true
      volumes:
        - name: drydock-bin
--- a/charts/drydock/templates/job-drydock-db-sync.yaml
+++ b/charts/drydock/templates/job-drydock-db-sync.yaml
@ -14,49 +14,42 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-{{- if .Values.manifests.job_drydock_db_init }}
+{{- if .Values.manifests.job_drydock_db_sync }}
 {{- $envAll := . }}
-{{- $dependencies := .Values.dependencies.db_init }}
+{{- $dependencies := .Values.dependencies.db_sync }}
+{{- $serviceAccountName := "drydock-db-sync" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: drydock-db-init
+  name: drydock-db-sync
 spec:
  template:
    metadata:
      labels:
-{{ tuple $envAll "drydock" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+{{ tuple $envAll "drydock" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
-        - name: drydock-db-init
-          image: {{ .Values.images.tags.drydock_db_init | quote }}
+        - name: drydock-db-sync
+          image: {{ .Values.images.tags.drydock_db_sync | quote }}
          imagePullPolicy: {{ .Values.images.pull_policy | quote }}
-{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ tuple $envAll $envAll.Values.pod.resources.jobs.drydock_db_sync | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
          env:
-            - name: DB_NAME
-              value: {{ .Values.database.postgresql.db_name | quote }}
-            - name: DB_USER
-              value: {{ .Values.endpoints.postgresql.auth.user.username | quote }}
-            - name: DB_PASS
-              value: {{ .Values.endpoints.postgresql.auth.user.password | quote}}
-            - name: DB_FQDN
-              value: {{ tuple "postgresql" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" | quote}}
-            - name: DB_PORT
-              value: {{ tuple "postgresql" "internal" "postgresql" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
-            - name: ROOT_DB_USER
-              value: {{ .Values.endpoints.postgresql.auth.admin.username | quote }}
+            - name: DRYDOCK_DB_URL
+              value: {{ tuple "postgresql" "internal" "user" "postgresql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" | quote }}
          command:
-            - /tmp/db-init.sh
+            - /tmp/db-sync.sh
          volumeMounts:
            - name: drydock-bin
-              mountPath: /tmp/db-init.sh
-              subPath: db-init.sh
+              mountPath: /tmp/db-sync.sh
+              subPath: db-sync.sh
              readOnly: true
      volumes:
        - name: drydock-bin
--- a/charts/drydock/templates/job-ks-endpoints.yaml
+++ b/charts/drydock/templates/job-ks-endpoints.yaml
@ -16,7 +16,8 @@
 {{- if .Values.manifests.job_ks_endpoints }}
 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ks_endpoints }}
-
+{{- $serviceAccountName := "drydock-ks-endpoints" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -28,11 +29,12 @@ spec:
      labels:
 {{ tuple $envAll "drydock" "ks-endpoints" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
 {{- range $key1, $osServiceType := tuple "physicalprovisioner" }}
 {{- range $key2, $osServiceEndPoint := tuple "admin" "internal" "public" }}
--- a/charts/drydock/templates/job-ks-service.yaml
+++ b/charts/drydock/templates/job-ks-service.yaml
@ -18,6 +18,8 @@
 {{- $envAll := . }}
 {{- $ksAdminSecret := .Values.secrets.identity.admin }}
 {{- $dependencies := .Values.dependencies.ks_service }}
+{{- $serviceAccountName := "drydock-ks-service" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,11 +31,12 @@ spec:
      labels:
 {{ tuple $envAll "drydock" "ks-service" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
 {{- range $key1, $osServiceType := tuple "physicalprovisioner" }}
        - name: {{ $osServiceType }}-ks-service-registration
--- a/charts/drydock/templates/job-ks-user.yaml
+++ b/charts/drydock/templates/job-ks-user.yaml
@ -17,6 +17,8 @@

 {{- $envAll := . }}
 {{- $dependencies := .Values.dependencies.ks_user }}
+{{- $serviceAccountName := "drydock-ks-user" }}
+{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -28,11 +30,12 @@ spec:
      labels:
 {{ tuple $envAll "drydock" "ks-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      initContainers:
-{{ tuple $envAll $dependencies "[]" | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
        - name: drydock-ks-user
          image: {{ .Values.images.tags.ks_user }}