+if [ ! -z "$LOCAL_REPOSITORY" ]; then
+ LOCAL_REPOSITORY="$LOCAL_REPOSITORY/"
+fi
+
+
+echo Add cluster roles
+ cat >ricplt-role.yaml <<EOF
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: ricplt-system-tiller
+rules:
+ - apiGroups: [""]
+ resources: ["deployments"]
+ verbs: ["get", "list", "create", "delete"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["get", "list", "create", "delete"]
+ - apiGroups: ["rbac.authorization.k8s.io"]
+ resources: ["clusterroles", "clusterrolebindings"]
+ verbs: ["get", "list", "create", "delete"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["create", "patch"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["list", "watch", "get"]
+ - apiGroups: [""]
+ resources: ["nodes/metrics"]
+ verbs: ["list", "watch", "get"]
+ - apiGroups: [""]
+ resources: ["nodes/proxy"]
+ verbs: ["list", "watch", "get"]
+ - apiGroups: ["configuration.konghq.com"]
+ resources: ["kongconsumers"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["configuration.konghq.com"]
+ resources: ["kongcredentials"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["configuration.konghq.com"]
+ resources: ["kongingresses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["configuration.konghq.com"]
+ resources: ["kongplugins"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses"]
+ verbs: ["watch", "list", "get", "create", "delete", "update"]
+ - apiGroups: [""]
+ resources: ["ingresses"]
+ verbs: ["watch", "list", "get", "create", "delete", "update"]
+ - apiGroups: [""]
+ resources: ["persistentvolumes"]
+ verbs: ["watch", "list", "get", "create", "delete"]
+ - apiGroups: ["danm.k8s.io"]
+ resources: ["clusternetworks"]
+ verbs: ["watch", "list", "get", "create", "delete"]
+ - apiGroups: ["extensions"]
+ resources: ["ingresses/status"]
+ verbs: ["update", "get", "list", "watch"]
+ - apiGroups: ["networking.k8s.io"]
+ resources: ["ingresses/status"]
+ verbs: ["update", "get", "list", "watch"]
+ - apiGroups: ["certificates.k8s.io"]
+ resources: ["certificatesigningrequests"]
+ verbs: ["list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["list", "watch"]
+ - nonResourceURLs: ["/metrics"]
+ verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: ricplt-system-tiller
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: ricplt-system-tiller
+subjects:
+ - kind: ServiceAccount
+ name: tiller
+ namespace: kube-system
+EOF
+
+if [ -z $IS_HELM3 ]
+then
+ kubectl apply -f ricplt-role.yaml
+ rm ricplt-role.yaml
+fi
+
+
+# Add kernel optimization for radis services
+if $KERNEL_OPTIMIZATION; then
+ cat >kernel_optimizer.yaml <<EOF
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ namespace: ${INFRANAMESPACE:-ricinfra}
+ name: redis-kernel-optimizer
+spec:
+ selector:
+ matchLabels:
+ app: redis-kernel-optimizer
+ template:
+ metadata:
+ labels:
+ app: redis-kernel-optimizer
+ spec:
+ volumes:
+ - name: sys
+ hostPath:
+ path: /sys
+ containers:
+ - name: disable-thp
+ image: ${LOCAL_REPOSITORY}busybox
+ securityContext:
+ runAsNonRoot: false
+ privileged: true
+ runAsUser: 0
+ command: ["sh", "-c"]
+ args:
+ - |-
+ set -e
+ set -o pipefail
+ trap 'exit' TERM
+ echo never > /rootfs/sys/kernel/mm/transparent_hugepage/enabled
+ echo never > /rootfs/sys/kernel/mm/transparent_hugepage/defrag
+ sysctl -w net.core.somaxconn=511
+ grep -q -F [never] /sys/kernel/mm/transparent_hugepage/enabled
+ grep -q -F [never] /sys/kernel/mm/transparent_hugepage/defrag
+ sysctl -n net.core.somaxconn | grep 511 -q
+ echo "done"
+ while true; do sleep 1; done
+ volumeMounts:
+ - name: sys
+ mountPath: /rootfs/sys
+EOF
+kubectl apply -f kernel_optimizer.yaml
+wait_for_pods redis-kernel-optimizer ${INFRANAMESPACE:-ricinfra}
+wait_for_cats redis-kernel-optimizer ${INFRANAMESPACE:-ricinfra}
+kubectl delete -f kernel_optimizer.yaml
+rm kernel_optimizer.yaml
+fi