+++ /dev/null
-{{/*
- Copyright (c) 2019 AT&T Intellectual Property.
- Copyright (c) 2019 Nokia.
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-*/}}
-{{- if .Values.global }}
-{{- if .Values.global.tillers }}
-{{- $topCtx := . }}
-{{- range keys .Values.global.tillers }}
-{{- $key := . }}
-{{- with index $topCtx.Values.global.tillers . }}
-{{- $nameSpace := .nameSpace }}
-{{- $deployNameSpace := .deployNameSpace }}
-{{- $img := .image.tiller }}
-{{- $secretName := default "tiller-secret" .secret.tillerSecretName }}
-{{- $ctx := dict "ctx" $topCtx "key" $key }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: {{ include "common.serviceaccountname.tiller" $ctx }}
- namespace: {{ $deployNameSpace }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: {{ include "common.tillerName" $ctx }}-tiller-base
- namespace: {{ $nameSpace }}
-rules:
-- apiGroups: [""]
- resources: ["secrets"]
- resourceNames: [ {{ $secretName }} ]
- verbs: ["get"]
-- apiGroups: [""]
- resources: ["pods/portforward"]
- verbs: ["create"]
-- apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["get"]
-- apiGroups: [""]
- resources: ["pods", "configmaps", "deployments", "services"]
- verbs: ["get", "list", "create", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-base
- namespace: {{ $nameSpace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "common.tillerName" $ctx }}-tiller-base
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.serviceaccountname.tiller" $ctx }}
- namespace: {{ $deployNameSpace }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: {{ include "common.tillerName" $ctx }}-tiller-operation
- namespace: {{ $deployNameSpace }}
-rules:
-- apiGroups: [""]
- resources: ["configmaps"]
- verbs: ["get", "list", "create", "delete", "update"]
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-operation
- namespace: {{ $deployNameSpace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "common.tillerName" $ctx }}-tiller-operation
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.serviceaccountname.tiller" $ctx }}
- namespace: {{ $deployNameSpace }}
-{{- if .serviceAccount.role }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: Role
-metadata:
- name: {{ include "common.tillerName" $ctx }}-tiller-deployer
- namespace: {{ $nameSpace }}
-rules:
-{{ toYaml .serviceAccount.role }}
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: RoleBinding
-metadata:
- name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-deployer
- namespace: {{ $nameSpace }}
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: {{ include "common.tillerName" $ctx }}-tiller-deployer
-subjects:
- - kind: ServiceAccount
- name: {{ include "common.serviceaccountname.tiller" $ctx }}
- namespace: {{ $deployNameSpace }}
-{{- end }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- app: helm
- name: tiller
- name: {{ include "common.deploymentname.tiller" $ctx }}
- namespace: {{ $deployNameSpace }}
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: helm
- name: tiller
- template:
- metadata:
- labels:
- app: helm
- name: tiller
- spec:
- automountServiceAccountToken: true
- imagePullSecrets:
- {{- if $img.repositoryCred }}
- - name: {{ $img.repositoryCred }}
- {{- else }}
- - name: {{ include "common.repositoryCred" $topCtx }}
- {{- end }}
- containers:
- - env:
- - name: TILLER_NAMESPACE
- value: {{ $deployNameSpace }}
- - name: TILLER_HISTORY_MAX
- value: "0"
- - name: TILLER_TLS_VERIFY
- value: "1"
- - name: TILLER_TLS_ENABLE
- value: "1"
- - name: TILLER_TLS_CERTS
- value: /etc/certs
- image: {{ if $img.repository }}{{- $img.repository -}}/{{ else }}{{ include "common.repository" $topCtx -}}/{{- end -}}{{- $img.name -}}{{- if $img.tag -}} : {{- $img.tag -}} {{- end }}
- imagePullPolicy: {{ default "IfNotPresent" $img.pullPolicy }}
- livenessProbe:
- httpGet:
- path: /liveness
- port: 44135
- initialDelaySeconds: 1
- timeoutSeconds: 1
- name: tiller
- ports:
- - containerPort: 44134
- name: tiller
- - containerPort: 44135
- name: http
- readinessProbe:
- httpGet:
- path: /readiness
- port: 44135
- initialDelaySeconds: 1
- timeoutSeconds: 1
- volumeMounts:
- - mountPath: /etc/certs
- name: tiller-certs
- readOnly: true
- serviceAccountName: {{ include "common.serviceaccountname.tiller" $ctx }}
- volumes:
- - name: tiller-certs
- secret:
- secretName: {{ $secretName }}
----
-apiVersion: v1
-kind: Service
-metadata:
- creationTimestamp: null
- labels:
- app: helm
- name: tiller
- name: {{ include "common.servicename.tiller" $ctx }}
- namespace: {{ $deployNameSpace }}
-spec:
- ports:
- - name: tiller
- port: {{ default 44134 .port }}
- targetPort: tiller
- selector:
- app: helm
- name: tiller
- type: ClusterIP
-{{- end }}
-{{- end }}
-{{- end }}
-{{- end }}