From 75b5b699748ed990eb8996652efef950eee5d9b9 Mon Sep 17 00:00:00 2001 From: dave kormann Date: Sat, 20 Apr 2019 16:01:59 -0400 Subject: [PATCH] IMPLEMENTS: RICPLT-1144: Support multiple Tillers This change adds scripts and configurations to support multiple, limited-capability and TLS-enabled helm tiller instances in the RIC. Specifically, it's envisioned that a RIC will have (at least) two running tiller pods: one for xapp deployment and one for ric platform component deployment; these will be independent of any systemwide tiller deployment, and will be limited to acting within their own namespaces. The tiller configurations are integrated with the common template and can be cross-referenced among other helm charts. Change-Id: I39341a6191c688d1960b5bfbe47eb99ca95fa1d6 signed-off-by: dave kormann --- RECIPE_EXAMPLE/RIC_AUX_RECIPE_EXAMPLE | 47 ++++-- RECIPE_EXAMPLE/RIC_INFRA_RECIPE_EXAMPLE | 44 ++++-- RECIPE_EXAMPLE/RIC_PLATFORM_RECIPE_EXAMPLE | 53 +++++-- .../Common-Template/helm/ric-common/Chart.yaml | 2 +- .../helm/ric-common/templates/_helmrepo.tpl | 76 --------- .../helm/ric-common/templates/_helmtiller.tpl | 150 ++++++++++++++++++ ric-infra/25-tiller/bin/install | 85 ++++++++++ ric-infra/25-tiller/bin/uninstall | 55 +++++++ ric-infra/25-tiller/etc/tiller.conf | 37 +++++ ric-infra/25-tiller/helm/ricplt-tiller/Chart.yaml | 5 + .../25-tiller/helm/ricplt-tiller/requirements.yaml | 20 +++ .../ricplt-tiller/templates/deployment-tiller.yaml | 176 +++++++++++++++++++++ .../templates/job-tiller-secrets.yaml | 102 ++++++++++++ ric-infra/25-tiller/helm/ricplt-tiller/values.yaml | 26 +++ .../helm/appmgr/templates/appconfig.yaml | 10 +- .../bin/_appmgr-tiller-secret-copier.sh.tpl | 41 +++++ .../templates/bin/_svcacct-to-kubeconfig.sh.tpl | 46 ++++++ .../helm/appmgr/templates/configmap-bin.yaml | 26 +++ .../helm/appmgr/templates/deployment.yaml | 59 ++++++- .../50-RIC-Platform/helm/appmgr/templates/env.yaml | 17 +- .../helm/appmgr/templates/serviceaccount.yaml | 21 ++- .../50-RIC-Platform/helm/appmgr/values.yaml | 13 +- 22 files changed, 977 insertions(+), 134 deletions(-) create mode 100644 ric-common/Common-Template/helm/ric-common/templates/_helmtiller.tpl create mode 100755 ric-infra/25-tiller/bin/install create mode 100755 ric-infra/25-tiller/bin/uninstall create mode 100644 ric-infra/25-tiller/etc/tiller.conf create mode 100644 ric-infra/25-tiller/helm/ricplt-tiller/Chart.yaml create mode 100644 ric-infra/25-tiller/helm/ricplt-tiller/requirements.yaml create mode 100644 ric-infra/25-tiller/helm/ricplt-tiller/templates/deployment-tiller.yaml create mode 100644 ric-infra/25-tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml create mode 100644 ric-infra/25-tiller/helm/ricplt-tiller/values.yaml create mode 100644 ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_appmgr-tiller-secret-copier.sh.tpl create mode 100755 ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_svcacct-to-kubeconfig.sh.tpl create mode 100644 ric-platform/50-RIC-Platform/helm/appmgr/templates/configmap-bin.yaml diff --git a/RECIPE_EXAMPLE/RIC_AUX_RECIPE_EXAMPLE b/RECIPE_EXAMPLE/RIC_AUX_RECIPE_EXAMPLE index ef5d1fc0..bb79baf9 100644 --- a/RECIPE_EXAMPLE/RIC_AUX_RECIPE_EXAMPLE +++ b/RECIPE_EXAMPLE/RIC_AUX_RECIPE_EXAMPLE @@ -21,7 +21,7 @@ global: # Docker registry from which RIC platform components pull the images repository: nexus3.o-ran-sc.org:10004 - + # Name of the K8S docker credential that is onboarded by 20-credential repositoryCred: docker-reg-cred @@ -29,7 +29,7 @@ global: imagePullPolicy: Always # Helm repo that will be used by xApp manager - helmRepository: "https://helm-entry" + helmRepository: "http://service-ricinfra-chartmuseum-http.ricinfra:8080" # Certificate of the helm repo helmRepositoryCert: xapp-mgr-certs @@ -37,15 +37,6 @@ global: # Name of the K8S secret that contains the credential of the helm repo helmRepositoryCred: xapp-mgr-creds - # The name of the tiller that xApp helm client talks to - helmRepositoryTiller: tiller-deploy - - # The namespace of the xApp helm tiller - helmRepositoryTillerNamespace: kube-system - - # The port the xApp helm tiller is listening to - helmRepositoryTillerPort: 44134 - # The ingress URL definitions for the ingress controller in four namespaces ingressurl: platform: ricplt-entry @@ -55,7 +46,39 @@ global: localnexus: nexus-entry localhelm: helm-entry localdocker: docker-entry - + + tillers: + ricxapp: + name: ricxapp + nameSpace: ricxapp + deployNameSpace: ricinfra + image: + tillerTLSSecrets: + repository: nexus3.o-ran-sc.org:10004 + name: it-dep-secret + tag: 0.0.1 + tiller: + repository: gcr.io + name: kubernetes-helm/tiller + tag: v2.12.3 + secret: + create: true + tillerSecretName: secret-tiller-ricxapp + helmSecretName: secret-helm-client-ricxapp + tls: + authenticate: true + verify: true + serviceAccount: + name: tiller + role: + - apiGroups: [""] + resources: ["pods", "configmaps", "services"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "delete"] + port: 44134 + #------------------------------------------------------------------------- # Auxiliary Functions #------------------------------------------------------------------------- diff --git a/RECIPE_EXAMPLE/RIC_INFRA_RECIPE_EXAMPLE b/RECIPE_EXAMPLE/RIC_INFRA_RECIPE_EXAMPLE index f5bea07a..56a94010 100644 --- a/RECIPE_EXAMPLE/RIC_INFRA_RECIPE_EXAMPLE +++ b/RECIPE_EXAMPLE/RIC_INFRA_RECIPE_EXAMPLE @@ -21,7 +21,7 @@ global: # Docker registry from which RIC platform components pull the images repository: nexus3.o-ran-sc.org:10004 - + # Name of the K8S docker credential that is onboarded by 20-credential repositoryCred: docker-reg-cred @@ -37,15 +37,6 @@ global: # Name of the K8S secret that contains the credential of the helm repo helmRepositoryCred: xapp-mgr-creds - # The name of the tiller that xApp helm client talks to - helmRepositoryTiller: tiller-deploy - - # The namespace of the xApp helm tiller - helmRepositoryTillerNamespace: kube-system - - # The port the xApp helm tiller is listening to - helmRepositoryTillerPort: 44134 - # The ingress URL definitions for the ingress controller in four namespaces ingressurl: platform: ricplt-entry @@ -55,6 +46,39 @@ global: localnexus: nexus-entry localhelm: helm-entry localdocker: docker-entry + + tillers: + ricxapp: + name: ricxapp + nameSpace: ricxapp + deployNameSpace: ricinfra + image: + tillerTLSSecrets: + repository: nexus3.o-ran-sc.org:10004 + name: it-dep-secret + tag: 0.0.1 + tiller: + repository: gcr.io + name: kubernetes-helm/tiller + tag: v2.12.3 + secret: + create: true + tillerSecretName: secret-tiller-ricxapp + helmSecretName: secret-helm-client-ricxapp + tls: + authenticate: true + verify: true + serviceAccount: + name: tiller + role: + - apiGroups: [""] + resources: ["pods", "configmaps", "services"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "delete"] + port: 44134 + #------------------------------------------------------------------------- # Infrastructure #------------------------------------------------------------------------- diff --git a/RECIPE_EXAMPLE/RIC_PLATFORM_RECIPE_EXAMPLE b/RECIPE_EXAMPLE/RIC_PLATFORM_RECIPE_EXAMPLE index 3f48dc06..b6248d97 100644 --- a/RECIPE_EXAMPLE/RIC_PLATFORM_RECIPE_EXAMPLE +++ b/RECIPE_EXAMPLE/RIC_PLATFORM_RECIPE_EXAMPLE @@ -21,7 +21,7 @@ global: # Docker registry from which RIC platform components pull the images repository: nexus3.o-ran-sc.org:10004 - + # Name of the K8S docker credential that is onboarded by 20-credential repositoryCred: docker-reg-cred @@ -37,15 +37,6 @@ global: # Name of the K8S secret that contains the credential of the helm repo helmRepositoryCred: xapp-mgr-creds - # The name of the tiller that xApp helm client talks to - helmRepositoryTiller: tiller-deploy - - # The namespace of the xApp helm tiller - helmRepositoryTillerNamespace: kube-system - - # The port the xApp helm tiller is listening to - helmRepositoryTillerPort: 44134 - # The ingress URL definitions for the ingress controller in four namespaces ingressurl: platform: ricplt-entry @@ -56,6 +47,39 @@ global: localhelm: helm-entry localdocker: docker-entry + tillers: + ricxapp: + name: ricxapp + nameSpace: ricxapp + deployNameSpace: ricinfra + image: + tillerTLSSecrets: + repository: nexus3.o-ran-sc.org:10004 + name: it-dep-secret + tag: 0.0.1 + tiller: + repository: gcr.io + name: kubernetes-helm/tiller + tag: v2.12.3 + secret: + create: true + tillerSecretName: secret-tiller-ricxapp + helmSecretName: secret-helm-client-ricxapp + tls: + authenticate: true + verify: true + serviceAccount: + name: tiller + role: + - apiGroups: [""] + resources: ["pods", "configmaps", "services"] + verbs: ["get", "list", "create", "delete"] + - apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "delete"] + port: 44134 + + #------------------------------------------------------------------------- # Platform Components #------------------------------------------------------------------------- @@ -65,7 +89,7 @@ a1mediator: # repositoryOverride: image: name: ric-plt-a1 - tag: 0.9.0 + tag: 0.10.1 rmr_timeout_config: rcv_retry_interval_ms: 500 rcv_retry_times: 20 @@ -75,6 +99,9 @@ appmgr: # Use the following option to override the docker registry value # repositoryOverride: image: + init: + name: it-dep-init + tag: 0.0.1 name: ric-plt-appmgr tag: 0.1.5 @@ -120,7 +147,7 @@ rtmgr: # repositoryOverride: image: name: ric-plt-rtmgr - tag: 0.3.1 + tag: 0.3.2 # Subscription Manager submgr: @@ -137,4 +164,4 @@ extsvcplt: ricip: # The ip address of the ric cluster ingress controller - \ No newline at end of file + diff --git a/ric-common/Common-Template/helm/ric-common/Chart.yaml b/ric-common/Common-Template/helm/ric-common/Chart.yaml index a6dde6e7..f48aa05f 100644 --- a/ric-common/Common-Template/helm/ric-common/Chart.yaml +++ b/ric-common/Common-Template/helm/ric-common/Chart.yaml @@ -18,4 +18,4 @@ apiVersion: v1 description: Common templates for inclusion in other charts name: ric-common -version: 2.0.0 +version: 2.0.2 diff --git a/ric-common/Common-Template/helm/ric-common/templates/_helmrepo.tpl b/ric-common/Common-Template/helm/ric-common/templates/_helmrepo.tpl index c662cf53..6d28d22e 100644 --- a/ric-common/Common-Template/helm/ric-common/templates/_helmrepo.tpl +++ b/ric-common/Common-Template/helm/ric-common/templates/_helmrepo.tpl @@ -91,82 +91,6 @@ {{- end -}} -{{/* - Resolve the helm repository tiller service name. - The tiller should be installed by K8S system admin. - The value for .Values.helmRepositoryTiller is used by default, - unless either override mechanism is used. - - - .Values.global.helmrepositoryTiller : override default helm repository tiller - - .Values.helmRepositoryTillerOverride : override global and default helm repository tiller -*/}} -{{- define "common.helmrepositorytiller" -}} - {{- if .Values.helmRepositoryTillerOverride -}} - {{- printf "%s" .Values.helmRepositoryTillerOverride -}} - {{- else -}} - {{- if .Values.global -}} - {{- if .Values.global.helmRepositoryTiller -}} - {{- printf "%s" .Values.global.helmRepositoryTiller -}} - {{- else -}} - {{- printf "%s" .Values.helmRepositoryTiller -}} - {{- end -}} - {{- else -}} - {{- printf "%s" .Values.helmRepositoryTiller -}} - {{- end -}} - {{- end -}} -{{- end -}} - - -{{/* - Resolve the helm repository tiller service namespace. - The tiller should be installed by K8S system admin. - The value for .Values.helmRepositoryTillerNamespace is used by default, - unless either override mechanism is used. - - - .Values.global.helmrepositoryTillerNamespace : override default helm repository tiller namespace - - .Values.helmRepositoryTillerNamespaceOverride : override global and default helm repository tiller namespace -*/}} -{{- define "common.helmrepositorytillernamespace" -}} - {{- if .Values.helmRepositoryTillerNamespaceOverride -}} - {{- printf "%s" .Values.helmRepositoryTillerNamespaceOverride -}} - {{- else -}} - {{- if .Values.global -}} - {{- if .Values.global.helmRepositoryTillerNamespace -}} - {{- printf "%s" .Values.global.helmRepositoryTillerNamespace -}} - {{- else -}} - {{- printf "%s" .Values.helmRepositoryTillerNamespace -}} - {{- end -}} - {{- else -}} - {{- printf "%s" .Values.helmRepositoryTillerNamespace -}} - {{- end -}} - {{- end -}} -{{- end -}} - - -{{/* - Resolve the helm repository tiller service port. - The tiller should be installed by K8S system admin. - The value for .Values.helmRepositoryTillerPort is used by default, - unless either override mechanism is used. - - - .Values.global.helmrepositoryTillerPort : override default helm repository tiller port - - .Values.helmRepositoryTillerPortOverride : override global and default helm repository tiller port -*/}} -{{- define "common.helmrepositorytillerport" -}} - {{- if .Values.helmRepositoryTillerPortOverride -}} - {{- printf "%.0f" .Values.helmRepositoryTillerPortOverride -}} - {{- else -}} - {{- if .Values.global -}} - {{- if .Values.global.helmRepositoryTillerPort -}} - {{- printf "%.0f" .Values.global.helmRepositoryTillerPort -}} - {{- else -}} - {{- printf "%.0f" .Values.helmRepositoryTillerPort -}} - {{- end -}} - {{- else -}} - {{- printf "%.0f" .Values.helmRepositoryTillerPort -}} - {{- end -}} - {{- end -}} -{{- end -}} {{/* Generate certificates for the helm repo diff --git a/ric-common/Common-Template/helm/ric-common/templates/_helmtiller.tpl b/ric-common/Common-Template/helm/ric-common/templates/_helmtiller.tpl new file mode 100644 index 00000000..ce455776 --- /dev/null +++ b/ric-common/Common-Template/helm/ric-common/templates/_helmtiller.tpl @@ -0,0 +1,150 @@ +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + +{{- define "recursiveprinter" -}} + {{- $ctx := .ctx }} + {{- $printkeys := .printkeys }} + {{- $currentkey := first $printkeys -}} + {{- $restkeys := rest $printkeys -}} + {{- if empty $restkeys -}} + {{- $result := index $ctx $currentkey -}} + {{- if not (empty $result) -}} + {{- $result -}} + {{- end -}} + {{- else -}} + {{- with index $ctx $currentkey }} + {{- $newctx := dict "ctx" . "printkeys" $restkeys -}} + {{- include "recursiveprinter" $newctx -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "printer" -}} + {{- $topctx := .ctx }} + {{- if hasKey $topctx.Values "global" }} + {{- if hasKey $topctx.Values.global "tillers" }} + {{- $ctx := index $topctx.Values.global.tillers .key -}} + {{- if not (empty $ctx) -}} + {{- $newctx := dict "ctx" $ctx "printkeys" .printkey -}} + {{- include "recursiveprinter" $newctx -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + + + + +{{- define "common.tillerName" -}} + {{- $printkey := list "name" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default "tiller-deploy" (include "printer" $newctx) -}} +{{- end -}} + + +{{- define "common.tillerNameSpace" -}} + {{- $printkey := list "nameSpace" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default "kube-system" (include "printer" $newctx) -}} +{{- end -}} + +{{- define "common.tillerDeployNameSpace" -}} + {{- $printkey := list "deployNameSpace" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default "kube-system" (include "printer" $newctx) -}} +{{- end -}} + + + +{{- define "common.tillerPort" -}} + {{- $printkey := list "port" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default 44134 (include "printer" $newctx) -}} +{{- end -}} + + + + +{{- define "common.tillerTLSVerify" -}} + {{- $printkey := list "tls" "verify" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default false (include "printer" $newctx) -}} +{{- end -}} + + +{{- define "common.tillerTLSAuthenticate" -}} + {{- $printkey := list "tls" "authenticate" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default false (include "printer" $newctx) -}} +{{- end -}} + +{{- define "common.tillerHelmClientTLSSecret" -}} + {{- $tlsverify := include "common.tillerTLSVerify" . }} + {{- $tlsauthenticate := include "common.tillerTLSAuthenticate" . }} + {{- if or (eq $tlsverify "true") (eq $tlsauthenticate "true") }} + {{- $printkey := list "secret" "helmSecretName" -}} + {{- $newctx := dict "ctx" .ctx "key" .key "printkey" $printkey }} + {{- default "" (include "printer" $newctx) -}} + {{- else -}} + {{- printf "" -}} + {{- end }} +{{- end -}} + + + + +{{- define "common.serviceaccountname.tiller" -}} + {{- $name := ( include "common.tillerName" . ) -}} + {{- printf "svcacct-tiller-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + + +{{- define "common.deploymentname.tiller" -}} + {{- $name := ( include "common.tillerName" . ) -}} + {{- printf "deployment-tiller-%s" $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + + +{{- define "common.servicename.tiller" -}} + {{- $topctx := .ctx }} + {{- if hasKey $topctx.Values "global" }} + {{- if hasKey $topctx.Values.global "tillers" }} + {{- $ctx := index $topctx.Values.global.tillers .key -}} + {{- if not (empty $ctx) -}} + {{- if hasKey $ctx "name" -}} + {{- $name := include "common.tillerName" . -}} + {{- printf "service-tiller-%s" $name | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{ "tiller-deploy" }} + {{- end -}} + {{- else -}} + {{ "tiller-deploy" }} + {{- end -}} + {{- else -}} + {{ "tiller-deploy" }} + {{- end -}} + {{- else -}} + {{ "tiller-deploy" }} + {{- end -}} +{{- end -}} + +{{- define "common.tillerEndpoint" -}} + {{- $servicename := ( include "common.servicename.tiller" . ) -}} + {{- $deploynamespace := ( include "common.tillerDeployNameSpace" . ) -}} + {{- printf "%s.%s" $servicename $deploynamespace -}} +{{- end -}} diff --git a/ric-infra/25-tiller/bin/install b/ric-infra/25-tiller/bin/install new file mode 100755 index 00000000..9fed0b58 --- /dev/null +++ b/ric-infra/25-tiller/bin/install @@ -0,0 +1,85 @@ +#!/bin/bash +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + + +OVERRIDEYAML=$1 + + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" + +source $DIR/../etc/tiller.conf + +if [ -z "$RICINFRA_RELEASE_NAME" ];then + RELEASE_NAME=$helm_release_name +else + RELEASE_NAME=$RICINFRA_RELEASE_NAME +fi +# Namespace configuration +if [ -z "$RICPLT_NAMESPACE" ];then + PLT_NAMESPACE=$plt_namespace +else + PLT_NAMESPACE=$RICPLT_NAMESPACE +fi +if [ -z "$RICXAPP_NAMESPACE" ];then + XAPP_NAMESPACE=$xapp_namespace +else + XAPP_NAMESPACE=$RICXAPP_NAMESPACE +fi +if [ -z "$RICAUX_NAMESPACE" ];then + AUX_NAMESPACE=$aux_namespace +else + AUX_NAMESPACE=$RICAUX_NAMESPACE +fi +if [ -z "$RICINFRA_NAMESPACE" ];then + INFRA_NAMESPACE=$infra_namespace +else + INFRA_NAMESPACE=$RICINFRA_NAMESPACE +fi + +if [ -z "$RIC_COMMON_OVERRIDE" ];then + COMMON_OVERRIDE="--set global.namespace.platform=$PLT_NAMESPACE --set global.namespace.xapp=$XAPP_NAMESPACE --set global.namespace.aux=$AUX_NAMESPACE --set global.namespace.infra=$INFRA_NAMESPACE" +else + COMMON_OVERRIDE=$RIC_COMMON_OVERRIDE +fi + + + + +RICINFRA_COMPONENTS="ricplt-tiller" + +echo "Deploying RIC infra components [$RICINFRA_COMPONENTS]" +echo "Helm Release Name: $RELEASE_NAME" + + +COMMON_CHART_VERSION=$(cat $DIR/../../../ric-common/Common-Template/helm/ric-common/Chart.yaml | grep version | awk '{print $2}') +helm package -d /tmp $DIR/../../../ric-common/Common-Template/helm/ric-common + + + +for component in $RICINFRA_COMPONENTS; do + + mkdir -p $DIR/../helm/$component/charts/ + + cp /tmp/ric-common-$COMMON_CHART_VERSION.tgz $DIR/../helm/$component/charts/ + + if [ -z $OVERRIDEYAML ]; then + helm install --debug --namespace "${INFRA_NAMESPACE}" --name "${RELEASE_NAME}-$component" $COMMON_OVERRIDE $DIR/../helm/$component + else + helm install -f $OVERRIDEYAML --namespace "${INFRA_NAMESPACE}" --name "${RELEASE_NAME}-$component" $COMMON_OVERRIDE $DIR/../helm/$component + fi +done diff --git a/ric-infra/25-tiller/bin/uninstall b/ric-infra/25-tiller/bin/uninstall new file mode 100755 index 00000000..64a01ab6 --- /dev/null +++ b/ric-infra/25-tiller/bin/uninstall @@ -0,0 +1,55 @@ +#!/bin/bash +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + + + + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )" + + +source $DIR/../etc/tiller.conf + +if [ -z "$RICINFRA_RELEASE_NAME" ];then + RELEASE_NAME=$helm_release_name +else + RELEASE_NAME=$RICINFRA_RELEASE_NAME +fi + +if [ -z "$RICINFRA_NAMESPACE" ];then + INFRA_NAMESPACE=$infra_namespace +else + INFRA_NAMESPACE=$RICINFRA_NAMESPACE +fi + +RICINFRA_COMPONENTS="ricplt-tiller" + +echo "Undeploying RIC infra components [$RICINFRA_COMPONENTS]" +echo "Helm Release Name: $RELEASE_NAME" + + +for component in $RICINFRA_COMPONENTS; do + helm delete --purge "${RELEASE_NAME}-${component}" +done + + +# We need to manually delete the secret creates by the secret container +SECRET_LIST=$(kubectl get secret -n ricinfra | awk '{ if ($2=="Opaque"){ print $1}}') + +for component in $SECRET_LIST; do + kubectl delete secret -n $INFRA_NAMESPACE $component +done diff --git a/ric-infra/25-tiller/etc/tiller.conf b/ric-infra/25-tiller/etc/tiller.conf new file mode 100644 index 00000000..92008b59 --- /dev/null +++ b/ric-infra/25-tiller/etc/tiller.conf @@ -0,0 +1,37 @@ +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + + +# helm_release_name defines the release name helm will use to deploy RIC +# It will be overrided by RICPLT_RELEASE_NAME +helm_release_name=r1 + +# namespace defines the namespace that helm will use to deploy RIC +# It will be overrided by RICPLT_NAMESPACE +plt_namespace=ricplt + +# namespace defines the namespace that helm will use to deploy RIC +# It will be overrided by RICXAPP_NAMESPACE +xapp_namespace=ricxapp + +# namespace defines the namespace that helm will use to deploy RIC +# It will be overrided by RICAUX_NAMESPACE +aux_namespace=ricaux + +# namespace defines the namespace that helm will use to deploy RIC +# It will be overrided by RICINFRA_NAMESPACE +infra_namespace=ricinfra diff --git a/ric-infra/25-tiller/helm/ricplt-tiller/Chart.yaml b/ric-infra/25-tiller/helm/ricplt-tiller/Chart.yaml new file mode 100644 index 00000000..65ac639d --- /dev/null +++ b/ric-infra/25-tiller/helm/ricplt-tiller/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: "1.0" +description: Create SSL secrets for tiller +name: ricplt-tiller +version: 0.1.0 diff --git a/ric-infra/25-tiller/helm/ricplt-tiller/requirements.yaml b/ric-infra/25-tiller/helm/ricplt-tiller/requirements.yaml new file mode 100644 index 00000000..2ab71b4e --- /dev/null +++ b/ric-infra/25-tiller/helm/ricplt-tiller/requirements.yaml @@ -0,0 +1,20 @@ +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + +dependencies: + - name: ric-common + version: ~2.0.0 diff --git a/ric-infra/25-tiller/helm/ricplt-tiller/templates/deployment-tiller.yaml b/ric-infra/25-tiller/helm/ricplt-tiller/templates/deployment-tiller.yaml new file mode 100644 index 00000000..f85a4867 --- /dev/null +++ b/ric-infra/25-tiller/helm/ricplt-tiller/templates/deployment-tiller.yaml @@ -0,0 +1,176 @@ +{{/* + Copyright (c) 2019 AT&T Intellectual Property. + Copyright (c) 2019 Nokia. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +{{- if .Values.global }} +{{- if .Values.global.tillers }} +{{- $topCtx := . }} +{{- range keys .Values.global.tillers }} +{{- $key := . }} +{{- with index $topCtx.Values.global.tillers . }} +{{- $nameSpace := .nameSpace }} +{{- $deployNameSpace := .deployNameSpace }} +{{- $img := .image.tiller }} +{{- $secretName := default "tiller-secret" .secret.tillerSecretName }} +{{- $ctx := dict "ctx" $topCtx "key" $key }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.serviceaccountname.tiller" $ctx }} + namespace: {{ $deployNameSpace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ include "common.tillerName" $ctx }}-tiller-base + namespace: {{ $nameSpace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + resourceNames: [ {{ $secretName }} ] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods/portforward"] + verbs: ["create"] +- apiGroups: [""] + resources: ["pods", "configmaps", "deployments", "services"] + verbs: ["get", "list", "create", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-base + namespace: {{ $nameSpace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "common.tillerName" $ctx }}-tiller-base +subjects: + - kind: ServiceAccount + name: {{ include "common.serviceaccountname.tiller" $ctx }} + namespace: {{ $deployNameSpace }} +{{- if .serviceAccount.role }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ include "common.tillerName" $ctx }}-tiller-deployer + namespace: {{ $nameSpace }} +rules: +{{ toYaml .serviceAccount.role }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-deployer + namespace: {{ $nameSpace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "common.tillerName" $ctx }}-tiller-deployer +subjects: + - kind: ServiceAccount + name: {{ include "common.serviceaccountname.tiller" $ctx }} + namespace: {{ $deployNameSpace }} +{{- end }} +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: helm + name: tiller + name: {{ include "common.deploymentname.tiller" $ctx }} + namespace: {{ $deployNameSpace }} +spec: + replicas: 1 + template: + metadata: + labels: + app: helm + name: tiller + spec: + automountServiceAccountToken: true + imagePullSecrets: + {{- if $img.repositoryCred }} + - name: {{ $img.repositoryCred }} + {{- else }} + - name: {{ include "common.repositoryCred" $topCtx }} + {{- end }} + containers: + - env: + - name: TILLER_NAMESPACE + value: {{ $deployNameSpace }} + - name: TILLER_HISTORY_MAX + value: "0" + - name: TILLER_TLS_VERIFY + value: "1" + - name: TILLER_TLS_ENABLE + value: "1" + - name: TILLER_TLS_CERTS + value: /etc/certs + image: {{ if $img.repository }}{{- $img.repository -}}/{{ else }}{{ include "common.repository" $topCtx -}}/{{- end -}}{{- $img.name -}}{{- if $img.tag -}} : {{- $img.tag -}} {{- end }} + imagePullPolicy: {{ default "IfNotPresent" $img.pullPolicy }} + livenessProbe: + httpGet: + path: /liveness + port: 44135 + initialDelaySeconds: 1 + timeoutSeconds: 1 + name: tiller + ports: + - containerPort: 44134 + name: tiller + - containerPort: 44135 + name: http + readinessProbe: + httpGet: + path: /readiness + port: 44135 + initialDelaySeconds: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /etc/certs + name: tiller-certs + readOnly: true + serviceAccountName: {{ include "common.serviceaccountname.tiller" $ctx }} + volumes: + - name: tiller-certs + secret: + secretName: {{ $secretName }} +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app: helm + name: tiller + name: {{ include "common.servicename.tiller" $ctx }} + namespace: {{ $deployNameSpace }} +spec: + ports: + - name: tiller + port: {{ default 44134 .port }} + targetPort: tiller + selector: + app: helm + name: tiller + type: ClusterIP +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/ric-infra/25-tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml b/ric-infra/25-tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml new file mode 100644 index 00000000..0a1a29ad --- /dev/null +++ b/ric-infra/25-tiller/helm/ricplt-tiller/templates/job-tiller-secrets.yaml @@ -0,0 +1,102 @@ +{{/* + Copyright (c) 2019 AT&T Intellectual Property. + Copyright (c) 2019 Nokia. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} + +{{- if .Values.global }} +{{- if .Values.global.tillers }} +{{- $topCtx := . }} +{{- range keys .Values.global.tillers }} +{{- $key := . }} +{{- with index $topCtx.Values.global.tillers . }} +{{- $img := .image.tillerTLSSecrets }} +{{- $tillerSecret := default "tiller-secret" .secret.tillerSecretName }} +{{- $helmSecret := default "helm-secret" .secret.helmSecretName }} +{{- $serviceAccountName := default "tiller" .serviceAccount }} +{{- $nameSpace := .nameSpace }} +{{- $deployNameSpace := .deployNameSpace }} +{{- $img := .image.tillerTLSSecrets }} +{{- $ctx := dict "ctx" $topCtx "key" $key }} +{{- if .secret.create }} +{{- $serviceAccountName := randAlpha 6 | lower | printf "tiller-secret-creator-%s" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $serviceAccountName }} + namespace: {{ $deployNameSpace }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: {{ $serviceAccountName }}-secret-create + namespace: {{ $deployNameSpace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: {{ $serviceAccountName }}-secret-create + namespace: {{ $deployNameSpace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $serviceAccountName }}-secret-create +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $deployNameSpace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: tiller-secret-generator + namespace: {{ $deployNameSpace }} +spec: + template: + spec: + serviceAccountName: {{ $serviceAccountName }} + restartPolicy: Never + imagePullSecrets: + {{- if $img.repositoryCred }} + - name: {{ $img.repositoryCred }} + {{- else }} + - name: {{ include "common.repositoryCred" $topCtx }} + {{- end }} + containers: + - name: tiller-secret-generator + image: {{ if $img.repository }}{{- $img.repository -}}/{{ else }} {{ include "common.repository" $topCtx -}}/{{- end -}}{{- $img.name -}}{{- if $img.tag -}} : {{- $img.tag -}} {{- end }} + imagePullPolicy: {{ default "IfNotPresent" $img.pullPolicy }} + env: + - name: ENTITIES + value: {{ tuple $tillerSecret $helmSecret | join " " }} + - name: TILLER_KEY_NAME + value: {{ $tillerSecret }}.key.pem + - name: TILLER_CERT_NAME + value: {{ $tillerSecret }}.cert.pem + - name: HELM_KEY_NAME + value: {{ $helmSecret }}.key.pem + - name: HELM_CERT_NAME + value: {{ $helmSecret }}.cert.pem + - name: TILLER_CN + value: {{ default ( include "common.servicename.tiller" $ctx ) .hostname }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/ric-infra/25-tiller/helm/ricplt-tiller/values.yaml b/ric-infra/25-tiller/helm/ricplt-tiller/values.yaml new file mode 100644 index 00000000..3c0fc2b0 --- /dev/null +++ b/ric-infra/25-tiller/helm/ricplt-tiller/values.yaml @@ -0,0 +1,26 @@ +tillers: +# ricxapp: +# image: +# tillerTLSSecrets: +# name: it-dep-secrets +# tiller: +# repository: gcr.io +# name: kubernetes-helm/tiller +# tag: v2.12.3 +# secret: +# create: true +# tillerSecretName: ricxapp-tiller-secret +# helmSecretName: ricxapp-helm-secret +# tls: +# authenticate: true +# verify: true +# serviceAccount: +# name: tiller +# role: +# - apiGroups: [""] +# resources: ["pods", "configmaps", "services"] +# verbs: ["get", "list", "create", "delete"] +# - apiGroups: ["extensions", "apps"] +# resources: ["deployments"] +# verbs: ["get", "list", "create", "delete"] +# port: 44134 diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/appconfig.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/appconfig.yaml index 894e2b1e..84866edf 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/appconfig.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/appconfig.yaml @@ -14,7 +14,9 @@ # See the License for the specific language governing permissions and # # limitations under the License. # ################################################################################ - +{{- $tillerKey := .Values.appmgr.tillerkey | default "ricxapp" }} +{{- $topCtx := . }} +{{- $ctx := dict "ctx" $topCtx "key" $tillerKey }} apiVersion: v1 kind: ConfigMap metadata: @@ -23,8 +25,8 @@ data: {{- $restport := (printf ":%s" (include "common.serviceport.appmgr.http" .) ) | quote -}} {{- $helmrepo := include "common.helmrepository" . | quote -}} {{- $reponame := default "helm-repo" .Values.appmgr.reponame | quote -}} - {{- $tiller := include "common.helmrepositorytiller" . | quote -}} - {{- $tillernamespace := include "common.helmrepositorytillernamespace" . | quote -}} - {{- $tillerport := include "common.helmrepositorytillerport" . | quote -}} + {{- $tiller := include "common.servicename.tiller" $ctx | quote -}} + {{- $tillernamespace := include "common.tillerNameSpace" $ctx | quote -}} + {{- $tillerport := include "common.tillerPort" $ctx | quote -}} {{- $xappnamespace := include "common.namespace.xapp" . | quote -}} {{- (.Files.Glob "resources/appmgr.yaml").AsConfig | replace "__XAPP_NAMESPACE__" $xappnamespace | replace "__HELM_REPO__" $helmrepo | replace "__REST_PORT__" $restport | replace "__REPO_NAME__" $reponame | replace "__TILLER_SERVICE__" $tiller | replace "__TILLER_NAMESPACE__" $tillernamespace | replace "__TILLER_PORT__" $tillerport | nindent 2 }} diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_appmgr-tiller-secret-copier.sh.tpl b/ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_appmgr-tiller-secret-copier.sh.tpl new file mode 100644 index 00000000..4b17cfb6 --- /dev/null +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_appmgr-tiller-secret-copier.sh.tpl @@ -0,0 +1,41 @@ +{{/* + Copyright (c) 2019 AT&T Intellectual Property. + Copyright (c) 2019 Nokia. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +#!/bin/sh +if [ -x /svcacct-to-kubeconfig.sh ] ; then + /svcacct-to-kubeconfig.sh +fi + +if [ ! -z "${HELM_TLS_CA_CERT}" ]; then + kubectl -n ${SECRET_NAMESPACE} get secret -o yaml ${SECRET_NAME} | \ + grep 'ca.crt:' | \ + awk '{print $2}' | \ + base64 -d > ${HELM_TLS_CA_CERT} +fi + +if [ ! -z "${HELM_TLS_CERT}" ]; then + kubectl -n ${SECRET_NAMESPACE} get secret -o yaml ${SECRET_NAME} | \ + grep 'tls.crt:' | \ + awk '{print $2}' | \ + base64 -d > ${HELM_TLS_CERT} +fi + +if [ ! -z "${HELM_TLS_KEY}" ]; then + kubectl -n ${SECRET_NAMESPACE} get secret -o yaml ${SECRET_NAME} | \ + grep 'tls.key:' | \ + awk '{print $2}' | \ + base64 -d > ${HELM_TLS_KEY} +fi diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_svcacct-to-kubeconfig.sh.tpl b/ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_svcacct-to-kubeconfig.sh.tpl new file mode 100755 index 00000000..9be3db62 --- /dev/null +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/bin/_svcacct-to-kubeconfig.sh.tpl @@ -0,0 +1,46 @@ +{{/* + Copyright (c) 2019 AT&T Intellectual Property. + Copyright (c) 2019 Nokia. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +#!/bin/sh + +# generate a kubconfig (at ${KUBECONFIG} file from the automatically-mounted +# service account token. +# ENVIRONMENT: +# SVCACCT_NAME: the name of the service account user. default "default" +# CLUSTER_NAME: the name of the kubernetes cluster. default "kubernetes" +# KUBECONFIG: where the generated file will be deposited. +SVCACCT_TOKEN=`cat /var/run/secrets/kubernetes.io/serviceaccount/token` +CLUSTER_CA=`base64 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt|tr -d '\n'` + +cat >${KUBECONFIG} <<__EOF__ +ApiVersion: v1 +kind: Config +users: +- name: ${SVCACCT_NAME:-default} + user: + token: ${SVCACCT_TOKEN} +clusters: +- cluster: + certificate-authority-data: ${CLUSTER_CA} + server: https://${K8S_API_HOST:-kubernetes.default.svc.cluster.local}/ + name: ${CLUSTER_NAME:-kubernetes} +contexts: +- context: + cluster: ${CLUSTER_NAME:-kubernetes} + user: ${SVCACCT_NAME:-default} + name: svcs-acct-context +current-context: svcs-acct-context +__EOF__ diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/configmap-bin.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/configmap-bin.yaml new file mode 100644 index 00000000..dfd07140 --- /dev/null +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/configmap-bin.yaml @@ -0,0 +1,26 @@ +################################################################################ +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you may not use this file except in compliance with the License. # +# You may obtain a copy of the License at # +# # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, # +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +################################################################################ + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.configmapname.appmgr" . }}-bin +data: + appmgr-tiller-secret-copier.sh: | + {{- include "appmgr/templates/bin/_appmgr-tiller-secret-copier.sh.tpl" . | indent 4 }} + svcacct-to-kubeconfig.sh: | + {{- include "appmgr/templates/bin/_svcacct-to-kubeconfig.sh.tpl" . | indent 4 }} diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml index ce05589c..bd1455f2 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml @@ -14,7 +14,10 @@ # See the License for the specific language governing permissions and # # limitations under the License. # ################################################################################ - +{{- $tillerKey := .Values.appmgr.tillerkey | default "ricxapp" }} +{{- $topCtx := . }} +{{- $ctx := dict "ctx" $topCtx "key" $tillerKey }} +{{- $secretPath := .Values.appmgr.appsecretpath | default "/opt/ric/secret" }} apiVersion: apps/v1 kind: Deployment metadata: @@ -45,6 +48,39 @@ spec: serviceAccountName: {{ include "common.serviceaccountname.appmgr" . }} imagePullSecrets: - name: {{ include "common.repositoryCred" . }} +{{- if or (eq ( include "common.tillerTLSVerify" $ctx ) "true" ) (eq ( include "common.tillerTLSAuthenticate" $ctx ) "true") }} + initContainers: + - name: {{ include "common.containername.appmgr" . }}-copy-tiller-secret + image: {{ include "common.repository" . }}/{{ .Values.appmgr.image.init.name }}:{{ .Values.appmgr.image.init.tag }} + imagePullPolicy: {{ default "IfNotPresent" .pullPolicy }} + env: + - name: SVCACCT_NAME + value: {{ include "common.serviceaccountname.appmgr" . }} + - name: CLUSTER_NAME + value: {{ default "kubernetes" .Values.global.clusterName }} + - name: KUBECONFIG + value: /tmp/kubeconfig + - name: K8S_API_HOST + value: "kubernetes.default.svc.{{ default "cluster.local" .Values.global.dnsDomain }}" + - name: SECRET_NAMESPACE + value: {{ include "common.tillerDeployNameSpace" $ctx }} + - name: SECRET_NAME + value: {{ include "common.tillerHelmClientTLSSecret" $ctx }} + envFrom: + - configMapRef: + name: {{ include "common.configmapname.appmgr" . }}-env + command: ["/appmgr-tiller-secret-copier.sh"] + volumeMounts: + - name: helm-secret-volume + mountPath: {{ $secretPath }} + readOnly: false + - name: appmgr-bin-volume + mountPath: /svcacct-to-kubeconfig.sh + subPath: svcacct-to-kubeconfig.sh + - name: appmgr-bin-volume + mountPath: /appmgr-tiller-secret-copier.sh + subPath: appmgr-tiller-secret-copier.sh +{{- end }} containers: - name: {{ include "common.containername.appmgr" . }} image: {{ include "common.repository" . }}/{{ .Values.appmgr.image.name }}:{{ .Values.appmgr.image.tag }} @@ -63,10 +99,17 @@ spec: - name: config-volume mountPath: {{ .Values.appmgr.appconfigpath }}/appmgr.yaml subPath: appmgr.yaml - - name: secret-volume - mountPath: {{ .Values.appmgr.appsecretpath }} - name: cert-volume mountPath: {{ .Values.appmgr.appcertpath }} + - name: helm-secret-volume + mountPath: {{ $secretPath }} + readOnly: false + - name: secret-volume + mountPath: {{ $secretPath }}/helm_repo_username + subPath: helm_repo_username + - name: secret-volume + mountPath: {{ $secretPath }}/helm_repo_password + subPath: helm_repo_password envFrom: - configMapRef: name: {{ include "common.configmapname.appmgr" . }}-env @@ -91,9 +134,15 @@ spec: - name: config-volume configMap: name: {{ include "common.configmapname.appmgr" . }}-appconfig + - name: cert-volume + configMap: + name: {{ include "common.helmrepositorycert" . }} - name: secret-volume secret: secretName: {{ include "common.helmrepositorycred" . }} - - name: cert-volume + - name: helm-secret-volume + emptyDir: {} + - name: appmgr-bin-volume configMap: - name: {{ include "common.helmrepositorycert" . }} + name: {{ include "common.configmapname.appmgr" . }}-bin + defaultMode: 0755 diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/env.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/env.yaml index e0139f09..69ef4a14 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/env.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/env.yaml @@ -14,7 +14,9 @@ # See the License for the specific language governing permissions and # # limitations under the License. # ################################################################################ - +{{- $tillerKey := .Values.appmgr.tillerkey | default "ricxapp" }} +{{- $topCtx := . }} +{{- $ctx := dict "ctx" $topCtx "key" $tillerKey }} apiVersion: v1 kind: ConfigMap metadata: @@ -26,4 +28,15 @@ data: DBAAS_PORT_6379_TCP_ADDR: {{ include "common.servicename.dbaas.tcp" . | quote }} DBAAS_PORT_6379_TCP_PORT: {{ include "common.serviceport.dbaas.tcp" . | quote }} RMR_RTG_SVC: {{ include "common.serviceport.appmgr.rmr.route" . | quote }} - +{{- $certPath := .Values.appmgr.appcertpath | default "/opt/ric/certificates" }} +{{- $secretPath := .Values.appmgr.appsecretpath | default "/opt/ric/secret" }} +{{- if eq (include "common.tillerTLSVerify" $ctx) "true" }} + HELM_TLS_VERIFY: "true" + HELM_TLS_CA_CERT: "{{ $secretPath }}/tiller-ca.cert" + HELM_TLS_HOSTNAME: {{ include "common.servicename.tiller" $ctx | quote }} +{{- end }} +{{- if eq (include "common.tillerTLSAuthenticate" $ctx) "true" }} + HELM_TLS_ENABLED: "true" + HELM_TLS_CERT: "{{ $secretPath }}/helm-client.cert" + HELM_TLS_KEY: "{{ $secretPath }}/helm-client.key" +{{- end }} diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml index 6164f73d..18068892 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml @@ -1,3 +1,6 @@ +{{- $tillerKey := .Values.appmgr.tillerkey | default "ricxapp" }} +{{- $topCtx := . }} +{{- $ctx := dict "ctx" $topCtx "key" $tillerKey }} --- apiVersion: v1 kind: ServiceAccount @@ -8,23 +11,31 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: - name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" . }}-access - namespace: {{ include "common.helmrepositorytillernamespace" . }} + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access + namespace: {{ include "common.tillerDeployNameSpace" $ctx }} rules: - apiGroups: [""] resources: ["pods", "pods/portforward"] verbs: ["get", "list", "create"] + +{{- if or (eq (include "common.tillerTLSVerify" $ctx) "true" ) (eq (include "common.tillerTLSAuthenticate" $ctx) "true") }} +- apiGroups: [""] + resources: ["secrets"] + resourceNames: [ {{ include "common.tillerHelmClientTLSSecret" $ctx | quote }} ] + verbs: ["get"] +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: - name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access - namespace: {{ include "common.helmrepositorytillernamespace" . }} + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access + namespace: {{ include "common.tillerDeployNameSpace" $ctx }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access + name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-access subjects: - kind: ServiceAccount name: {{ include "common.serviceaccountname.appmgr" . }} namespace: {{ include "common.namespace.platform" . }} +--- diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/values.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/values.yaml index 351962c1..d36600c5 100644 --- a/ric-platform/50-RIC-Platform/helm/appmgr/values.yaml +++ b/ric-platform/50-RIC-Platform/helm/appmgr/values.yaml @@ -64,9 +64,12 @@ helmRepositoryTillerPort: 44134 appmgr: image: - # xAppmanager Docker image name and tag - name: ric-plt-appmgr - tag: 0.1.3 + # xAppmanager Docker image name and tag + init: + name: it-dep-init + tag: latest + name: ric-plt-appmgr + tag: 0.1.3 # This section describes xAppManager replicaCount: 1 @@ -92,6 +95,4 @@ appmgr: # Path referred in xapp-manager for retrieving helm repo client certificates appcertpath: /opt/ric/certificates - - - + tillerkey: "ricxapp" -- 2.16.6