X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;ds=inline;f=ric-infra%2F45-Tiller%2Fhelm%2Fricplt-tiller%2Ftemplates%2Fjob-tiller-secrets.yaml;fp=ric-infra%2F45-Tiller%2Fhelm%2Fricplt-tiller%2Ftemplates%2Fjob-tiller-secrets.yaml;h=0a1a29ad1613f169dfe8b93fdd0f0ead94974976;hb=ed7eec523578f84ee16307c19d81a605af66b887;hp=0000000000000000000000000000000000000000;hpb=25428c74ecffd82152b5642cca81c19508d3218c;p=it%2Fdep.git diff --git a/ric-infra/45-Tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml b/ric-infra/45-Tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml new file mode 100644 index 00000000..0a1a29ad --- /dev/null +++ b/ric-infra/45-Tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml @@ -0,0 +1,102 @@ +{{/* + Copyright (c) 2019 AT&T Intellectual Property. + Copyright (c) 2019 Nokia. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} + +{{- if .Values.global }} +{{- if .Values.global.tillers }} +{{- $topCtx := . }} +{{- range keys .Values.global.tillers }} +{{- $key := . }} +{{- with index $topCtx.Values.global.tillers . }} +{{- $img := .image.tillerTLSSecrets }} +{{- $tillerSecret := default "tiller-secret" .secret.tillerSecretName }} +{{- $helmSecret := default "helm-secret" .secret.helmSecretName }} +{{- $serviceAccountName := default "tiller" .serviceAccount }} +{{- $nameSpace := .nameSpace }} +{{- $deployNameSpace := .deployNameSpace }} +{{- $img := .image.tillerTLSSecrets }} +{{- $ctx := dict "ctx" $topCtx "key" $key }} +{{- if .secret.create }} +{{- $serviceAccountName := randAlpha 6 | lower | printf "tiller-secret-creator-%s" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $serviceAccountName }} + namespace: {{ $deployNameSpace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }}-secret-create + namespace: {{ $deployNameSpace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }}-secret-create + namespace: {{ $deployNameSpace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }}-secret-create +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $deployNameSpace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tiller-secret-generator + namespace: {{ $deployNameSpace }} +spec: + template: + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: Never + imagePullSecrets: + {{- if $img.repositoryCred }} + - name: {{ $img.repositoryCred }} + {{- else }} + - name: {{ include "common.repositoryCred" $topCtx }} + {{- end }} + containers: + - name: tiller-secret-generator + image: {{ if $img.repository }}{{- $img.repository -}}/{{ else }} {{ include "common.repository" $topCtx -}}/{{- end -}}{{- $img.name -}}{{- if $img.tag -}} : {{- $img.tag -}} {{- end }} + imagePullPolicy: {{ default "IfNotPresent" $img.pullPolicy }} + env: + - name: ENTITIES + value: {{ tuple $tillerSecret $helmSecret | join " " }} + - name: TILLER_KEY_NAME + value: {{ $tillerSecret }}.key.pem + - name: TILLER_CERT_NAME + value: {{ $tillerSecret }}.cert.pem + - name: HELM_KEY_NAME + value: {{ $helmSecret }}.key.pem + - name: HELM_CERT_NAME + value: {{ $helmSecret }}.cert.pem + - name: TILLER_CN + value: {{ default ( include "common.servicename.tiller" $ctx ) .hostname }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }}