remove externalInterfaces + add RBAC and networkPolicy support (#882)
* remove externalInterfaces + add RBAC and networkPolicy support * mistaken double end * cleanup values a bit * fix a small mistake * That was the wrong mistake
This commit is contained in:
committed by
GitHub
parent
4c3820037e
commit
6831d56ee4
@@ -18,4 +18,4 @@ maintainers:
|
||||
name: common
|
||||
sources: null
|
||||
type: library
|
||||
version: 6.12.5
|
||||
version: 6.13.0
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
This template serves as a blueprint for horizontal pod autoscaler objects that are created
|
||||
using the common library.
|
||||
*/}}
|
||||
{{- define "common.classes.hpa" -}}
|
||||
{{- define "common.hpa" -}}
|
||||
{{- if .Values.autoscaling.enabled -}}
|
||||
{{- $hpaName := include "common.names.fullname" . -}}
|
||||
{{- $targetName := include "common.names.fullname" . }}
|
||||
@@ -24,7 +24,9 @@ Main entrypoint for the common library chart. It will render all underlying temp
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{ include "common.classes.hpa" . | nindent 0 }}
|
||||
{{ include "common.rbac" . | nindent 0 }}
|
||||
|
||||
{{ include "common.hpa" . | nindent 0 }}
|
||||
|
||||
{{ include "common.service" . | nindent 0 }}
|
||||
|
||||
@@ -33,9 +35,11 @@ Main entrypoint for the common library chart. It will render all underlying temp
|
||||
{{- if .Values.secret -}}
|
||||
{{ include "common.secret" . | nindent 0 }}
|
||||
{{- end -}}
|
||||
{{ include "common.class.portal" . | nindent 0 }}
|
||||
|
||||
{{ include "common.class.mountPermissions" . | nindent 0 }}
|
||||
{{ include "common.classes.externalInterfaces" . | nindent 0 }}
|
||||
{{ include "common.configmap.portal" . | nindent 0 }}
|
||||
|
||||
{{ include "common.job.mountPermissions" . | nindent 0 }}
|
||||
|
||||
{{ include "common.networkpolicy" . | nindent 0 }}
|
||||
|
||||
{{- end -}}
|
||||
|
||||
38
charts/library/common/templates/_networkPolicy.tpl
Normal file
38
charts/library/common/templates/_networkPolicy.tpl
Normal file
@@ -0,0 +1,38 @@
|
||||
{{/*
|
||||
Blueprint for the NetworkPolicy object that can be included in the addon.
|
||||
*/}}
|
||||
{{- define "common.networkpolicy" -}}
|
||||
{{- if .Values.networkPolicy.enabled }}
|
||||
---
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . }}
|
||||
spec:
|
||||
podSelector:
|
||||
{{- if .Values.networkPolicy.podSelector }}
|
||||
{{- with .Values.networkPolicy.podSelector }}
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
{{- else }}
|
||||
matchLabels:
|
||||
{{- include "common.labels.selectorLabels" . | nindent 6 }}
|
||||
{{- end }}
|
||||
|
||||
{{- with .Values.networkPolicy.policyTypes }}
|
||||
policyTypes:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
||||
{{- with .Values.networkPolicy.egress }}
|
||||
egress:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
||||
{{- with .Values.networkPolicy.ingress }}
|
||||
ingress:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
51
charts/library/common/templates/_rbac.tpl
Normal file
51
charts/library/common/templates/_rbac.tpl
Normal file
@@ -0,0 +1,51 @@
|
||||
{{/*
|
||||
This template serves as a blueprint for all PersistentVolumeClaim objects that are created
|
||||
within the common library.
|
||||
*/}}
|
||||
{{- define "common.rbac" -}}
|
||||
{{- if .Values.rbac.enabled }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . -}}
|
||||
labels:
|
||||
{{- with .Values.rbac.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- with .Values.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.rbac.rules }}
|
||||
rules:
|
||||
{{- . | toYaml | nindent 4 }}
|
||||
{{- end -}}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ include "common.names.fullname" . -}}
|
||||
labels:
|
||||
{{- with .Values.rbac.labels }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- with .Values.rbac.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ include "common.names.fullname" . -}}
|
||||
subjects:
|
||||
{{- if .Values.serviceAccount }}
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "common.names.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
{{- with .Values.rbac.subjects }}
|
||||
{{- toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@@ -1,15 +0,0 @@
|
||||
{{/*
|
||||
This template serves as a blueprint for External Interface objects that are created
|
||||
using the SCALE GUI.
|
||||
*/}}
|
||||
{{- define "common.classes.externalInterfaces" -}}
|
||||
{{- range $index, $iface := .Values.ixExternalInterfacesConfiguration }}
|
||||
---
|
||||
apiVersion: "k8s.cni.cncf.io/v1"
|
||||
kind: NetworkAttachmentDefinition
|
||||
metadata:
|
||||
name: ix-{{ $.Release.Name }}-{{ $index }}
|
||||
spec:
|
||||
config: '{{ $iface }}'
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
@@ -1,4 +1,4 @@
|
||||
{{- define "common.class.portal" -}}
|
||||
{{- define "common.configmap.portal" -}}
|
||||
|
||||
{{- if .Values.portal }}
|
||||
{{- if .Values.portal.enabled }}
|
||||
@@ -2,7 +2,7 @@
|
||||
This template serves as the blueprint for the mountPermissions job that is run
|
||||
before chart installation.
|
||||
*/}}
|
||||
{{- define "common.class.mountPermissions" -}}
|
||||
{{- define "common.job.mountPermissions" -}}
|
||||
{{- if .Values.persistence -}}
|
||||
{{- $jobName := include "common.names.fullname" . -}}
|
||||
{{- $group := 568 -}}
|
||||
@@ -79,6 +79,8 @@ autoscaling:
|
||||
targetCPUUtilizationPercentage: # 80
|
||||
targetMemoryUtilizationPercentage: # 80
|
||||
|
||||
# -- Create serviceaccount
|
||||
# @default -- See below
|
||||
serviceAccount:
|
||||
# -- Specifies whether a service account should be created
|
||||
create: false
|
||||
@@ -90,6 +92,50 @@ serviceAccount:
|
||||
# If not set and create is true, a name is generated using the fullname template
|
||||
name: ""
|
||||
|
||||
# -- Create a ClusterRole and ClusterRoleBinding
|
||||
# @default -- See below
|
||||
rbac:
|
||||
# -- Enables or disables the ClusterRole and ClusterRoleBinding
|
||||
enabled: false
|
||||
|
||||
# -- Set Annotations on the ClusterRole
|
||||
clusterRoleLabels: {}
|
||||
|
||||
# -- Set labels on the ClusterRole
|
||||
clusterRoleAnnotations: {}
|
||||
|
||||
# -- Set Annotations on the ClusterRoleBinding
|
||||
|
||||
clusterRoleBindingLabels: {}
|
||||
|
||||
# -- Set labels on the ClusterRoleBinding
|
||||
clusterRoleBindingAnnotations: {}
|
||||
|
||||
# -- Set Rules on the ClusterRole
|
||||
rules: {}
|
||||
|
||||
# -- Add subjects to the ClusterRoleBinding.
|
||||
# includes the above created serviceaccount
|
||||
subjects: {}
|
||||
|
||||
# -- Configure networkPolicy for the chart here.
|
||||
# @default -- See below
|
||||
networkPolicy:
|
||||
# -- Enables or disables the networkPolicy
|
||||
enabled: false
|
||||
|
||||
# customizes the podSelector (defaults to the helm-chart selector-labels
|
||||
# podSelector:
|
||||
|
||||
# -- add or remove Policy types
|
||||
policyTypes: []
|
||||
|
||||
# -- add or remove egress policies
|
||||
egress: []
|
||||
|
||||
# -- add or remove egress policies
|
||||
ingress: []
|
||||
|
||||
# -- Use this to populate a secret with the values you specify.
|
||||
# Be aware that these values are not encrypted by default, and could therefore visible
|
||||
# to anybody with access to the values.yaml file.
|
||||
|
||||
@@ -212,7 +212,7 @@ questions:
|
||||
type: dict
|
||||
attrs:
|
||||
- variable: name
|
||||
label: "Name"
|
||||
label: "Name"
|
||||
schema:
|
||||
type: string
|
||||
- variable: value
|
||||
|
||||
Reference in New Issue
Block a user