From 67fad68783e4cca334127bc184fc93d280c075df Mon Sep 17 00:00:00 2001 From: Maarten de Waard Date: Thu, 29 Sep 2022 17:26:47 +0200 Subject: [PATCH] add rbac to the helm chart, use temporary backend image --- deployment/helmchart/Chart.lock | 6 +-- deployment/helmchart/Chart.yaml | 4 +- .../helmchart/templates/configmaps.yaml | 1 + .../helmchart/templates/rbac/clusterrole.yaml | 45 +++++++++++++++++++ .../templates/rbac/clusterrolebinding.yaml | 23 ++++++++++ .../templates/rbac/serviceaccount.yaml | 22 +++++++++ deployment/helmchart/values.yaml | 25 ++++++++++- 7 files changed, 120 insertions(+), 6 deletions(-) create mode 100644 deployment/helmchart/templates/rbac/clusterrole.yaml create mode 100644 deployment/helmchart/templates/rbac/clusterrolebinding.yaml create mode 100644 deployment/helmchart/templates/rbac/serviceaccount.yaml diff --git a/deployment/helmchart/Chart.lock b/deployment/helmchart/Chart.lock index ad1c194..4e066a3 100644 --- a/deployment/helmchart/Chart.lock +++ b/deployment/helmchart/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: common repository: https://charts.bitnami.com/bitnami - version: 2.0.1 -digest: sha256:eac8729956b60d78414de3eea46b919b44afcd7afdcd19dacd640269b3d731f2 -generated: "2022-08-24T15:52:13.18511608+02:00" + version: 2.0.3 +digest: sha256:dfd07906c97f7fca7593af69d01f6f044e10a609a03057352142766a5caca6cd +generated: "2022-09-29T15:38:57.444746866+02:00" diff --git a/deployment/helmchart/Chart.yaml b/deployment/helmchart/Chart.yaml index d2e8368..90a2abd 100644 --- a/deployment/helmchart/Chart.yaml +++ b/deployment/helmchart/Chart.yaml @@ -1,7 +1,7 @@ annotations: category: Dashboard apiVersion: v2 -appVersion: 0.2.8 +appVersion: 0.3.0 dependencies: - name: common # https://artifacthub.io/packages/helm/bitnami/common @@ -23,4 +23,4 @@ name: stackspin-dashboard sources: - https://open.greenhost.net/stackspin/dashboard/ - https://open.greenhost.net/stackspin/dashboard-backend/ -version: 1.2.3 +version: 1.3.0 diff --git a/deployment/helmchart/templates/configmaps.yaml b/deployment/helmchart/templates/configmaps.yaml index a6c9346..8221461 100644 --- a/deployment/helmchart/templates/configmaps.yaml +++ b/deployment/helmchart/templates/configmaps.yaml @@ -24,6 +24,7 @@ data: HYDRA_ADMIN_URL: {{ .Values.backend.hydra.adminUrl }} LOGIN_PANEL_URL: {{ .Values.backend.loginPanelUrl }} DATABASE_URL: {{ .Values.backend.databaseUrl }} + LOAD_INCLUSTER_CONFIG: "true" # {{- if .Values.backend.smtp.enabled }} # DASHBOARD_BACKEND_SMTP_HOST: {{ .Values.backend.smtp.host | quote }} # DASHBOARD_BACKEND_SMTP_PORT: {{ .Values.backend.smtp.port | quote }} diff --git a/deployment/helmchart/templates/rbac/clusterrole.yaml b/deployment/helmchart/templates/rbac/clusterrole.yaml new file mode 100644 index 0000000..1ac5261 --- /dev/null +++ b/deployment/helmchart/templates/rbac/clusterrole.yaml @@ -0,0 +1,45 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: ClusterRole +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - kustomize.toolkit.fluxcd.io + resources: + - kustomizations + verbs: + - list + - delete + - get + - patch + - create + - apiGroups: + - helm.toolkit.fluxcd.io + resources: + - helmreleases + verbs: + - list + - delete + - get + - patch + - create + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - list + - get + - patch + - delete +{{- end }} diff --git a/deployment/helmchart/templates/rbac/clusterrolebinding.yaml b/deployment/helmchart/templates/rbac/clusterrolebinding.yaml new file mode 100644 index 0000000..0c6b92d --- /dev/null +++ b/deployment/helmchart/templates/rbac/clusterrolebinding.yaml @@ -0,0 +1,23 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/deployment/helmchart/templates/rbac/serviceaccount.yaml b/deployment/helmchart/templates/rbac/serviceaccount.yaml new file mode 100644 index 0000000..9faba8a --- /dev/null +++ b/deployment/helmchart/templates/rbac/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.rbac.create .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "dashboard.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: server + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }} + {{- end }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/deployment/helmchart/values.yaml b/deployment/helmchart/values.yaml index fa6e173..6010a38 100644 --- a/deployment/helmchart/values.yaml +++ b/deployment/helmchart/values.yaml @@ -236,7 +236,7 @@ backend: image: registry: open.greenhost.net:4567 repository: stackspin/dashboard-backend/dashboard-backend - tag: 0-2-10 + tag: load-incluster-config digest: "" ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -695,3 +695,26 @@ ingress: ## key: ## certificate: secrets: [] + +# The dashboard-backend needs access to certain Kubernetes APIs to be able to +# install and remove apps +rbac: + ## @param backend.rbac.create Specifies whether RBAC resources should be created + create: true + +## ServiceAccount configuration for dashboard backend +## +serviceAccount: + ## @param backend.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param backend.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param backend.serviceAccount.automountServiceAccountToken Automount service account token for the dashboard backend service account + ## + automountServiceAccountToken: true + ## @param backend.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. + ## + annotations: {}