openstack-helm-infra/ingress/templates/deployment-ingress.yaml
KHIYANI, RAHUL (rk0850) ae41873341 Add Docker default AppArmor profile to ingress chart
Change-Id: Id4fee2008fd7544ccbf865084949c767013ca3fa
2020-02-13 22:41:37 +00:00

365 lines
14 KiB
YAML

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.deployment_ingress }}
{{- $envAll := . }}
{{- if empty .Values.conf.controller.INGRESS_CLASS -}}
{{- if eq .Values.deployment.mode "cluster" }}
{{- $_ := set .Values.conf.controller "INGRESS_CLASS" .Values.deployment.cluster.class -}}
{{- else if eq .Values.deployment.mode "namespace" }}
{{- $_ := set .Values.conf.controller "INGRESS_CLASS" "nginx" -}}
{{- end }}
{{- end -}}
{{- $serviceAccountName := printf "%s-%s" .Release.Name "ingress" }}
{{ tuple $envAll "ingress" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
- "networking.k8s.io"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- {{ printf "%s-%s" .Release.Name .Values.conf.controller.INGRESS_CLASS | quote }}
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
{{- if eq .Values.deployment.type "Deployment" }}
apiVersion: apps/v1
kind: Deployment
{{- else if eq .Values.deployment.type "DaemonSet" }}
apiVersion: apps/v1
kind: DaemonSet
{{- end }}
metadata:
name: ingress
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
app: ingress-api
spec:
{{- if eq .Values.deployment.type "Deployment" }}
replicas: {{ .Values.pod.replicas.ingress }}
{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
{{- end }}
selector:
matchLabels:
{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
app: ingress-api
template:
metadata:
labels:
{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
app: ingress-api
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-conf.yaml" . | include "helm-toolkit.utils.hash" }}
{{ dict "envAll" $envAll "podName" "ingress-server" "containerNames" (list "ingress" "ingress-vip") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
spec:
{{ dict "envAll" $envAll "application" "server" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
shareProcessNamespace: true
serviceAccountName: {{ $serviceAccountName }}
{{- if eq .Values.deployment.type "Deployment" }}
affinity:
{{ tuple $envAll "ingress" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
{{- end }}
nodeSelector:
{{ .Values.labels.server.node_selector_key }}: {{ .Values.labels.server.node_selector_value | quote }}
{{- if .Values.network.host_namespace }}
hostNetwork: true
{{- end }}
dnsPolicy: {{ .Values.pod.dns_policy }}
terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.server.timeout | default "60" }}
initContainers:
{{ tuple $envAll "ingress" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
- name: ingress-vip-kernel-modules
{{ tuple $envAll "ingress_module_init" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_kernel_modules" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
command:
- /tmp/ingress-vip.sh
- kernel_modules
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ingress-bin
mountPath: /tmp/ingress-vip.sh
subPath: ingress-vip.sh
readOnly: true
- name: host-rootfs
mountPath: /mnt/host-rootfs
readOnly: true
- name: ingress-vip-init
{{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
command:
- /tmp/ingress-vip.sh
- start
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ingress-bin
mountPath: /tmp/ingress-vip.sh
subPath: ingress-vip.sh
readOnly: true
{{- end }}
containers:
- name: ingress
{{ tuple $envAll "ingress" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.ingress | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "ingress" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
readinessProbe:
httpGet:
path: /healthz
port: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PORT_HTTP
value: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: PORT_HTTPS
value: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: PORT_STATUS
value: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: PORT_STREAM
value: {{ tuple "ingress" "internal" "stream" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: PORT_PROFILER
value: {{ tuple "ingress" "internal" "profiler" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: PORT_HEALTHZ
value: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: DEFAULT_SERVER_PORT
value: {{ tuple "ingress" "internal" "server" . | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }}
- name: RELEASE_NAME
value: {{ .Release.Name | quote }}
- name: ERROR_PAGE_SERVICE
value: {{ tuple "ingress" "error_pages" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" | quote }}
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.controller | indent 12 }}
ports:
- containerPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.network.host_namespace }}
hostPort: {{ tuple "ingress" "internal" "http" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
- containerPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.network.host_namespace }}
hostPort: {{ tuple "ingress" "internal" "https" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
- containerPort: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.network.host_namespace }}
hostPort: {{ tuple "ingress" "internal" "status" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
- containerPort: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.network.host_namespace }}
hostPort: {{ tuple "ingress" "internal" "healthz" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
- containerPort: {{ tuple "ingress" "internal" "server" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- if .Values.network.host_namespace }}
hostPort: {{ tuple "ingress" "internal" "server" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
{{- end }}
command:
- /tmp/ingress-controller.sh
- start
lifecycle:
preStop:
exec:
command:
- /tmp/ingress-controller.sh
- stop
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ingress-bin
mountPath: /tmp/ingress-controller.sh
subPath: ingress-controller.sh
readOnly: true
{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
- name: ingress-vip
{{- if eq .Values.network.vip.mode "routed" }}
{{ tuple $envAll "ingress_routed_vip" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ dict "envAll" $envAll "application" "server" "container" "ingress_vip" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
env:
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.network.vip | indent 12 }}
command:
- /tmp/ingress-vip.sh
- sleep
lifecycle:
preStop:
exec:
command:
- /tmp/ingress-vip.sh
- stop
volumeMounts:
- name: pod-tmp
mountPath: /tmp
- name: ingress-bin
mountPath: /tmp/ingress-vip.sh
subPath: ingress-vip.sh
readOnly: true
{{- else if eq .Values.network.vip.mode "keepalived" }}
{{ tuple $envAll "keepalived" | include "helm-toolkit.snippets.image" | indent 10 }}
env:
- name: KEEPALIVED_INTERFACE
value: {{ .Values.network.vip.interface | quote }}
- name: KEEPALIVED_VIRTUAL_IPS
value: {{ ( .Values.network.vip.addr | split "/" )._0 | quote }}
- name: KEEPALIVED_UNICAST_PEERS
value: null
- name: KEEPALIVED_ROUTER_ID
value: {{ .Values.network.vip.keepalived_router_id | quote }}
{{- end }}
{{- end }}
volumes:
- name: pod-tmp
emptyDir: {}
- name: ingress-bin
configMap:
name: ingress-bin
defaultMode: 0555
{{- if and .Values.network.host_namespace .Values.network.vip.manage }}
- name: host-rootfs
hostPath:
path: /
{{- end }}
{{- end }}