Add serviceaccount support to common and appmgr

This change adds a serviceaccount to the appmgr helm chart with explicit
permission to list pods in the namespace where it expects to find its
tiller; this is to handle the case where the default serviceaccount is
not allowed to list pods.

To support his, service account name support was added to the common
chart.

signed-off-by: dave kormann <dk3239@att.com>
Change-Id: Ia1c46ebbaf5d22731d657858b56efcef8d13d5f5

diff --git a/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl b/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl
new file mode 100644 (file)
index 0000000..9daabc9
--- /dev/null
+++ b/ric-common/Common-Template/helm/ric-common/templates/_serviceaccountname.tpl
@@ -0,0 +1,71 @@
+################################################################################
+#   Copyright (c) 2019 AT&T Intellectual Property.                             #
+#   Copyright (c) 2019 Nokia.                                                  #
+#                                                                              #
+#   Licensed under the Apache License, Version 2.0 (the "License");            #
+#   you may not use this file except in compliance with the License.           #
+#   You may obtain a copy of the License at                                    #
+#                                                                              #
+#       http://www.apache.org/licenses/LICENSE-2.0                             #
+#                                                                              #
+#   Unless required by applicable law or agreed to in writing, software        #
+#   distributed under the License is distributed on an "AS IS" BASIS,          #
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #
+#   See the License for the specific language governing permissions and        #
+#   limitations under the License.                                             #
+################################################################################
+
+{{/*
+  Resolve the name of a chart's serviceaccount
+*/}}
+
+
+{{- define "common.serviceaccountname.appmgr" -}}
+  {{- $name := ( include "common.fullname.appmgr" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.dbaas" -}}
+  {{- $name := ( include "common.fullname.dbaas" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.e2mgr" -}}
+  {{- $name := ( include "common.fullname.e2mgr" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.e2term" -}}
+  {{- $name := ( include "common.fullname.e2term" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.rtmgr" -}}
+  {{- $name := ( include "common.fullname.rtmgr" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.a1mediator" -}}
+  {{- $name := ( include "common.fullname.a1mediator" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.nexus" -}}
+  {{- $name := ( include "common.fullname.nexus" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.dashboard" -}}
+  {{- $name := ( include "common.fullname.dashboard" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.messagerouter" -}}
+  {{- $name := ( include "common.fullname.messagerouter" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "common.serviceaccountname.ves" -}}
+  {{- $name := ( include "common.fullname.ves" . ) -}}
+  {{- printf "svcacct-%s" $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml
index a484813..1ea190b 100644 (file)
--- a/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml
+++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/deployment.yaml
@@ -38,6 +38,7 @@ spec:
         release: {{ .Release.Name }}
     spec:
       hostname: {{ include "common.name.appmgr" . }}
+      serviceAccountName: {{ include "common.serviceaccountname.appmgr" . }}
       imagePullSecrets:
         - name: {{ include "common.repositoryCred" . }}
       containers:

diff --git a/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml
new file mode 100644 (file)
index 0000000..8dbb63c
--- /dev/null
+++ b/ric-platform/50-RIC-Platform/helm/appmgr/templates/serviceaccount.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "common.serviceaccountname.appmgr" . }}
+  namespace: {{ include "common.namespace.platform" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" . }}-access
+  namespace: {{ include "common.helmrepositorytillernamespace" . }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access
+  namespace: {{ include "common.helmrepositorytillernamespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.helmrepositorytillernamespace" .}}-access
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "common.serviceaccountname.appmgr" . }}
+    namespace: {{ include "common.namespace.platform" . }}