remove externalInterfaces + add RBAC and networkPolicy support (#882)

* remove externalInterfaces + add RBAC and networkPolicy support

* mistaken double end

* cleanup values a bit

* fix a small mistake

* That was the wrong mistake
This commit is contained in:
Kjeld Schouten-Lebbing
2021-09-02 12:52:34 +02:00
committed by GitHub
parent 4c3820037e
commit 6831d56ee4
10 changed files with 148 additions and 24 deletions

View File

@@ -18,4 +18,4 @@ maintainers:
name: common
sources: null
type: library
version: 6.12.5
version: 6.13.0

View File

@@ -2,7 +2,7 @@
This template serves as a blueprint for horizontal pod autoscaler objects that are created
using the common library.
*/}}
{{- define "common.classes.hpa" -}}
{{- define "common.hpa" -}}
{{- if .Values.autoscaling.enabled -}}
{{- $hpaName := include "common.names.fullname" . -}}
{{- $targetName := include "common.names.fullname" . }}

View File

@@ -24,7 +24,9 @@ Main entrypoint for the common library chart. It will render all underlying temp
{{- end -}}
{{- end -}}
{{ include "common.classes.hpa" . | nindent 0 }}
{{ include "common.rbac" . | nindent 0 }}
{{ include "common.hpa" . | nindent 0 }}
{{ include "common.service" . | nindent 0 }}
@@ -33,9 +35,11 @@ Main entrypoint for the common library chart. It will render all underlying temp
{{- if .Values.secret -}}
{{ include "common.secret" . | nindent 0 }}
{{- end -}}
{{ include "common.class.portal" . | nindent 0 }}
{{ include "common.class.mountPermissions" . | nindent 0 }}
{{ include "common.classes.externalInterfaces" . | nindent 0 }}
{{ include "common.configmap.portal" . | nindent 0 }}
{{ include "common.job.mountPermissions" . | nindent 0 }}
{{ include "common.networkpolicy" . | nindent 0 }}
{{- end -}}

View File

@@ -0,0 +1,38 @@
{{/*
Blueprint for the NetworkPolicy object that can be included in the addon.
*/}}
{{- define "common.networkpolicy" -}}
{{- if .Values.networkPolicy.enabled }}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ include "common.names.fullname" . }}
spec:
podSelector:
{{- if .Values.networkPolicy.podSelector }}
{{- with .Values.networkPolicy.podSelector }}
{{- . | toYaml | nindent 4 }}
{{- end -}}
{{- else }}
matchLabels:
{{- include "common.labels.selectorLabels" . | nindent 6 }}
{{- end }}
{{- with .Values.networkPolicy.policyTypes }}
policyTypes:
{{- . | toYaml | nindent 4 }}
{{- end -}}
{{- with .Values.networkPolicy.egress }}
egress:
{{- . | toYaml | nindent 4 }}
{{- end -}}
{{- with .Values.networkPolicy.ingress }}
ingress:
{{- . | toYaml | nindent 4 }}
{{- end -}}
{{- end -}}
{{- end -}}

View File

@@ -0,0 +1,51 @@
{{/*
This template serves as a blueprint for all PersistentVolumeClaim objects that are created
within the common library.
*/}}
{{- define "common.rbac" -}}
{{- if .Values.rbac.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "common.names.fullname" . -}}
labels:
{{- with .Values.rbac.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.rbac.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.rbac.rules }}
rules:
{{- . | toYaml | nindent 4 }}
{{- end -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "common.names.fullname" . -}}
labels:
{{- with .Values.rbac.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- with .Values.rbac.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "common.names.fullname" . -}}
subjects:
{{- if .Values.serviceAccount }}
- kind: ServiceAccount
name: {{ include "common.names.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- with .Values.rbac.subjects }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end -}}

View File

@@ -1,15 +0,0 @@
{{/*
This template serves as a blueprint for External Interface objects that are created
using the SCALE GUI.
*/}}
{{- define "common.classes.externalInterfaces" -}}
{{- range $index, $iface := .Values.ixExternalInterfacesConfiguration }}
---
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: ix-{{ $.Release.Name }}-{{ $index }}
spec:
config: '{{ $iface }}'
{{- end }}
{{- end -}}

View File

@@ -1,4 +1,4 @@
{{- define "common.class.portal" -}}
{{- define "common.configmap.portal" -}}
{{- if .Values.portal }}
{{- if .Values.portal.enabled }}

View File

@@ -2,7 +2,7 @@
This template serves as the blueprint for the mountPermissions job that is run
before chart installation.
*/}}
{{- define "common.class.mountPermissions" -}}
{{- define "common.job.mountPermissions" -}}
{{- if .Values.persistence -}}
{{- $jobName := include "common.names.fullname" . -}}
{{- $group := 568 -}}

View File

@@ -79,6 +79,8 @@ autoscaling:
targetCPUUtilizationPercentage: # 80
targetMemoryUtilizationPercentage: # 80
# -- Create serviceaccount
# @default -- See below
serviceAccount:
# -- Specifies whether a service account should be created
create: false
@@ -90,6 +92,50 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: ""
# -- Create a ClusterRole and ClusterRoleBinding
# @default -- See below
rbac:
# -- Enables or disables the ClusterRole and ClusterRoleBinding
enabled: false
# -- Set Annotations on the ClusterRole
clusterRoleLabels: {}
# -- Set labels on the ClusterRole
clusterRoleAnnotations: {}
# -- Set Annotations on the ClusterRoleBinding
clusterRoleBindingLabels: {}
# -- Set labels on the ClusterRoleBinding
clusterRoleBindingAnnotations: {}
# -- Set Rules on the ClusterRole
rules: {}
# -- Add subjects to the ClusterRoleBinding.
# includes the above created serviceaccount
subjects: {}
# -- Configure networkPolicy for the chart here.
# @default -- See below
networkPolicy:
# -- Enables or disables the networkPolicy
enabled: false
# customizes the podSelector (defaults to the helm-chart selector-labels
# podSelector:
# -- add or remove Policy types
policyTypes: []
# -- add or remove egress policies
egress: []
# -- add or remove egress policies
ingress: []
# -- Use this to populate a secret with the values you specify.
# Be aware that these values are not encrypted by default, and could therefore visible
# to anybody with access to the values.yaml file.

View File

@@ -212,7 +212,7 @@ questions:
type: dict
attrs:
- variable: name
label: "Name"
label: "Name"
schema:
type: string
- variable: value