From fb1483d09cc5deba80360184fb4f91b526f57c53 Mon Sep 17 00:00:00 2001 From: dave kormann Date: Thu, 11 Jul 2019 11:07:08 -0400 Subject: [PATCH] Add serviceaccount support to common and appmgr This change adds a serviceaccount to the appmgr helm chart with explicit permission to list pods in the namespace where it expects to find its tiller; this is to handle the case where the default serviceaccount is not allowed to list pods. To support his, service account name support was added to the common chart. signed-off-by: dave kormann Change-Id: Ia1c46ebbaf5d22731d657858b56efcef8d13d5f5 --- .../ric-common/templates/_serviceaccountname.tpl | 71 ++++++++++++++++++++++ .../helm/appmgr/templates/deployment.yaml | 1 + .../helm/appmgr/templates/serviceaccount.yaml | 30 +++++++++ 3 files changed, 102 insertions(+) create mode 100644 ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl create mode 100644 ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml diff --git a/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl b/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl new file mode 100644 index 00000000..9daabc91 --- /dev/null +++ b/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl @@ -0,0 +1,71 @@ +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + +{{/* + Resolve the name of a chart's serviceaccount +*/}} + + +{{- define "common.serviceaccountname.appmgr" -}} + {{- $name := ( include "common.fullname.appmgr" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.dbaas" -}} + {{- $name := ( include "common.fullname.dbaas" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.e2mgr" -}} + {{- $name := ( include "common.fullname.e2mgr" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.e2term" -}} + {{- $name := ( include "common.fullname.e2term" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.rtmgr" -}} + {{- $name := ( include "common.fullname.rtmgr" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.a1mediator" -}} + {{- $name := ( include "common.fullname.a1mediator" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.nexus" -}} + {{- $name := ( include "common.fullname.nexus" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.dashboard" -}} + {{- $name := ( include "common.fullname.dashboard" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.messagerouter" -}} + {{- $name := ( include "common.fullname.messagerouter" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "common.serviceaccountname.ves" -}} + {{- $name := ( include "common.fullname.ves" . ) -}} + {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml index a4848137..1ea190b8 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml @@ -38,6 +38,7 @@ spec: release: {{ .Release.Name }} spec: hostname: {{ include "common.name.appmgr" . }} + serviceAccountName: {{ include "common.serviceaccountname.appmgr" . }} imagePullSecrets: - name: {{ include "common.repositoryCred" . }} containers: diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml new file mode 100644 index 00000000..8dbb63c7 --- /dev/null +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.serviceaccountname.appmgr" . }} + namespace: {{ include "common.namespace.platform" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" . }}-access + namespace: {{ include "common.helmrepositorytillernamespace" . }} +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access + namespace: {{ include "common.helmrepositorytillernamespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access +subjects: + - kind: ServiceAccount + name: {{ include "common.serviceaccountname.appmgr" . }} + namespace: {{ include "common.namespace.platform" . }} -- 2.16.6