--- /dev/null
+{{/*
+ Copyright (c) 2019 AT&T Intellectual Property.
+ Copyright (c) 2019 Nokia.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/}}
+{{- if .Values.global }}
+{{- $kubeapiServerEndpoint := .Values.global.k8sAPIHost }}
+{{- if .Values.global.tillers }}
+{{- $topCtx := . }}
+{{- range keys .Values.global.tillers }}
+{{- $key := . }}
+{{- with index $topCtx.Values.global.tillers . }}
+{{- $img := .image.tillerTLSSecrets }}
+{{- $tillerSecret := default "tiller-secret" .secret.tillerSecretName }}
+{{- $helmSecret := default "helm-secret" .secret.helmSecretName }}
+{{- $serviceAccountName := default "tiller" .serviceAccount }}
+{{- $nameSpace := .nameSpace }}
+{{- $deployNameSpace := .deployNameSpace }}
+{{- $img := .image.tillerTLSSecrets }}
+{{- $ctx := dict "ctx" $topCtx "key" $key }}
+{{- if .secret.create }}
+{{- $serviceAccountName := randAlpha 6 | lower | printf "tiller-secret-creator-%s" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ $serviceAccountName }}
+ namespace: {{ $deployNameSpace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: {{ $serviceAccountName }}-secret-create
+ namespace: {{ $deployNameSpace }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["create", "get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: {{ $serviceAccountName }}-secret-create
+ namespace: {{ $deployNameSpace }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ $serviceAccountName }}-secret-create
+subjects:
+ - kind: ServiceAccount
+ name: {{ $serviceAccountName }}
+ namespace: {{ $deployNameSpace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: tiller-secret-generator
+ namespace: {{ $deployNameSpace }}
+spec:
+ template:
+ spec:
+ serviceAccountName: {{ $serviceAccountName }}
+ restartPolicy: Never
+ imagePullSecrets:
+ {{- if $img.repositoryCred }}
+ - name: {{ $img.repositoryCred }}
+ {{- else }}
+ - name: {{ include "common.repositoryCred" $topCtx }}
+ {{- end }}
+ containers:
+ - name: tiller-secret-generator
+ image: {{ if $img.repository }}{{- $img.repository -}}/{{ else }} {{ include "common.repository" $topCtx -}}/{{- end -}}{{- $img.name -}}{{- if $img.tag -}} : {{- $img.tag -}} {{- end }}
+ imagePullPolicy: {{ default "IfNotPresent" $img.pullPolicy }}
+ env:
+ - name: ENTITIES
+ value: {{ tuple $tillerSecret $helmSecret | join " " }}
+ - name: TILLER_KEY_NAME
+ value: {{ $tillerSecret }}.key.pem
+ - name: TILLER_CERT_NAME
+ value: {{ $tillerSecret }}.cert.pem
+ - name: HELM_KEY_NAME
+ value: {{ $helmSecret }}.key.pem
+ - name: HELM_CERT_NAME
+ value: {{ $helmSecret }}.cert.pem
+ - name: TILLER_CN
+ value: {{ default ( include "common.servicename.tiller" $ctx ) .hostname }}
+ - name: CLUSTER_SERVER
+ value: {{ default "https://kubernetes.default.svc.cluster.local/" $kubeapiServerEndpoint }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}