From: dave kormann Date: Thu, 11 Jul 2019 15:07:08 +0000 (-0400) Subject: Add serviceaccount support to common and appmgr X-Git-Tag: 0.0.2~67^2 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=fb1483d09cc5deba80360184fb4f91b526f57c53;p=it%2Fdep.git Add serviceaccount support to common and appmgr This change adds a serviceaccount to the appmgr helm chart with explicit permission to list pods in the namespace where it expects to find its tiller; this is to handle the case where the default serviceaccount is not allowed to list pods. To support his, service account name support was added to the common chart. signed-off-by: dave kormann Change-Id: Ia1c46ebbaf5d22731d657858b56efcef8d13d5f5 --- diff --git a/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl b/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl new file mode 100644 index 00000000..9daabc91 --- /dev/null +++ b/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl @@ -0,0 +1,71 @@ +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + +{{/* + Resolve the name of a chart's serviceaccount +*/}} + + +{{- define "common.serviceaccountname.appmgr" -}} + {{- $name := ( include "common.fullname.appmgr" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.dbaas" -}} + {{- $name := ( include "common.fullname.dbaas" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.e2mgr" -}} + {{- $name := ( include "common.fullname.e2mgr" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.e2term" -}} + {{- $name := ( include "common.fullname.e2term" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.rtmgr" -}} + {{- $name := ( include "common.fullname.rtmgr" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.a1mediator" -}} + {{- $name := ( include "common.fullname.a1mediator" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.nexus" -}} + {{- $name := ( include "common.fullname.nexus" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.dashboard" -}} + {{- $name := ( include "common.fullname.dashboard" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.messagerouter" -}} + {{- $name := ( include "common.fullname.messagerouter" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.ves" -}} + {{- $name := ( include "common.fullname.ves" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml index a4848137..1ea190b8 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml @@ -38,6 +38,7 @@ spec: release: {{ .Release.Name }} spec: hostname: {{ include "common.name.appmgr" . }} + serviceAccountName: {{ include "common.serviceaccountname.appmgr" . }} imagePullSecrets: - name: {{ include "common.repositoryCred" . }} containers: diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml new file mode 100644 index 00000000..8dbb63c7 --- /dev/null +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.serviceaccountname.appmgr" . }} + namespace: {{ include "common.namespace.platform" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" . }}-access + namespace: {{ include "common.helmrepositorytillernamespace" . }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access + namespace: {{ include "common.helmrepositorytillernamespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access +subjects: + - kind: ServiceAccount + name: {{ include "common.serviceaccountname.appmgr" . }} + namespace: {{ include "common.namespace.platform" . }}