978507351f
When using Rook for managing Ceph clusters we have to provision a minimal set of assets (keys, endpoints, etc.) to make Openstack-Helm charts work with these Ceph clusters. Rook provides CRDs that can be used for managing Ceph assets like pools/keyrings/buckets etc. but Openstack-Helm can not utilize these CRDs. To support these CRDs in OSH would require having lots of conditionals in OSH templates since we still want OSH to work with OSH ceph-* charts. Change-Id: If7fe29052640e48c37b653e13a74d95e360a6d16
135 lines
4.9 KiB
YAML
135 lines
4.9 KiB
YAML
{{/*
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{- if and .Values.manifests.job_namespace_client_ceph_config }}
|
|
{{- $envAll := . }}
|
|
|
|
{{- $randStringSuffix := randAlphaNum 5 | lower }}
|
|
|
|
{{- $serviceAccountName := print $envAll.Release.Name "-ceph-ns-ceph-config-generator" }}
|
|
{{ tuple $envAll "namespace_client_ceph_config_generator" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ $serviceAccountName }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- configmaps
|
|
verbs:
|
|
- get
|
|
- create
|
|
- update
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ $serviceAccountName }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ $serviceAccountName }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ $envAll.Release.Namespace }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
|
|
namespace: {{ .Values.admin_secret_namespace }}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- endpoints
|
|
verbs:
|
|
- get
|
|
- list
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
|
|
namespace: {{ .Values.admin_secret_namespace }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ printf "%s-%s" $serviceAccountName $randStringSuffix }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $serviceAccountName }}
|
|
namespace: {{ $envAll.Release.Namespace }}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ $serviceAccountName }}
|
|
labels:
|
|
{{ tuple $envAll "ceph" "client-ceph-config-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
{{ tuple $envAll "ceph" "client-ceph-config-generator" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
|
annotations:
|
|
{{ dict "envAll" $envAll "podName" $serviceAccountName "containerNames" (list "ceph-storage-keys-generator" "init") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
|
spec:
|
|
{{ dict "envAll" $envAll "application" "client_ceph_config_generator" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
|
|
serviceAccountName: {{ $serviceAccountName }}
|
|
restartPolicy: OnFailure
|
|
nodeSelector:
|
|
{{ $envAll.Values.labels.job.node_selector_key }}: {{ $envAll.Values.labels.job.node_selector_value }}
|
|
initContainers:
|
|
{{ tuple $envAll "namespace_client_ceph_config_generator" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
|
containers:
|
|
- name: ceph-storage-keys-generator
|
|
{{ tuple $envAll "ceph_config_helper" | include "helm-toolkit.snippets.image" | indent 10 }}
|
|
{{ tuple $envAll $envAll.Values.pod.resources.jobs.secret_provisioning | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
|
|
{{ dict "envAll" $envAll "application" "client_ceph_config_generator" "container" "ceph_storage_keys_generator" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
|
env:
|
|
- name: CEPH_CONF_ETC
|
|
value: {{ .Values.ceph_configmap_name }}
|
|
- name: DEPLOYMENT_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
- name: PVC_CEPH_RBD_STORAGECLASS_DEPLOYED_NAMESPACE
|
|
value: {{ .Values.admin_secret_namespace }}
|
|
command:
|
|
- /tmp/provisioner-rbd-namespace-client-ceph-config-manager.sh
|
|
volumeMounts:
|
|
- name: pod-tmp
|
|
mountPath: /tmp
|
|
- name: pod-etc-ceph
|
|
mountPath: /etc/ceph
|
|
- name: ceph-provisioners-bin-clients
|
|
mountPath: /tmp/provisioner-rbd-namespace-client-ceph-config-manager.sh
|
|
subPath: provisioner-rbd-namespace-client-ceph-config-manager.sh
|
|
readOnly: true
|
|
volumes:
|
|
- name: pod-tmp
|
|
emptyDir: {}
|
|
- name: pod-etc-ceph
|
|
emptyDir: {}
|
|
- name: ceph-provisioners-bin-clients
|
|
configMap:
|
|
name: {{ printf "%s-%s" $envAll.Release.Name "bin" | quote }}
|
|
defaultMode: 0555
|
|
{{- end }}
|