Skip to content

Commit

Permalink
Upgrade service catalog from v0.1.11 to v0.1.28
Browse files Browse the repository at this point in the history 
Major flaws reported by kyma team has been fixed:
- kubernetes-retired/service-catalog#2025
- kubernetes-retired/service-catalog#1879
- kubernetes-retired/service-catalog#2006

Enabled  namespaced broker feature.
  • Loading branch information
@PK85
PK85 committed Aug 7, 2018
1 parent 247ecb3 commit 3d9ba9e
Show file tree
Hide file tree
Showing 5 changed files with 116 additions and 19 deletions.
3 changes: 1 addition & 2 deletions resources/core/charts/service-catalog/charts/catalog/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
name: catalog
description: service-catalog API server and controller-manager helm chart
version: 0.1.11

version: 0.1.28
25 changes: 16 additions & 9 deletions resources/core/charts/service-catalog/charts/catalog/templates/apiserver-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,25 +22,27 @@ spec:
app: {{ template "fullname" . }}-apiserver
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
releaseRevision: "{{ .Release.Revision }}"
heritage: "{{ .Release.Service }}"
{{ if .Values.apiserver.annotations }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/apiserver-secret.yaml") . | sha256sum }}
{{ toYaml .Values.apiserver.annotations | indent 8 }}
{{- end }}
spec:
serviceAccountName: "{{ .Values.apiserver.serviceAccount }}"
containers:
- name: apiserver
image: {{ .Values.image }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
resources:
requests:
memory: 20Mi
{{ toYaml .Values.apiserver.resources | indent 10 }}
args:
- apiserver
{{ if .Values.apiserver.audit.activated -}}
- --audit-log-path
- {{ .Values.apiserver.audit.logPath }}
{{- end}}
- --admission-control
- --enable-admission-plugins
- "KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck"
- --secure-port
- "8443"
Expand All @@ -62,9 +64,9 @@ spec:
- --feature-gates
- OriginatingIdentity=true
{{- end }}
{{- if .Values.namespacedServiceBrokerEnabled }}
{{- if .Values.namespacedServiceBrokerDisabled }}
- --feature-gates
- NamespacedServiceBroker=true
- NamespacedServiceBroker=false
{{- end }}
{{- if .Values.apiserver.serveOpenAPISpec }}
- --serve-openapi-spec
Expand All @@ -75,6 +77,7 @@ spec:
- name: apiserver-cert
mountPath: /var/run/kubernetes-service-catalog
readOnly: true
{{- if .Values.apiserver.healthcheck.enabled }}
readinessProbe:
httpGet:
port: 8443
Expand All @@ -95,13 +98,13 @@ spec:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
{{- end }}
{{- if and (eq .Values.apiserver.storage.type "etcd") .Values.apiserver.storage.etcd.useEmbedded }}
- name: etcd
image: quay.io/coreos/etcd:v3.2.13
image: quay.io/coreos/etcd:latest
imagePullPolicy: Always
resources:
requests:
memory: 30Mi
{{ toYaml .Values.apiserver.storage.etcd.resources | indent 10 }}
env:
- name: ETCD_DATA_DIR
value: /etcd-data-dir
Expand Down Expand Up @@ -135,6 +138,10 @@ spec:
successThreshold: 1
timeoutSeconds: 2
{{- end }}
{{ if .Values.apiserver.nodeSelector }}
nodeSelector:
{{ .Values.apiserver.nodeSelector }}
{{ end }}
volumes:
- name: apiserver-cert
secret:
Expand Down
21 changes: 17 additions & 4 deletions ...s/core/charts/service-catalog/charts/catalog/templates/controller-manager-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ spec:
metadata:
annotations:
prometheus.io/scrape: "{{ .Values.controllerManager.enablePrometheusScrape }}"
{{ if .Values.controllerManager.annotations }}
{{ toYaml .Values.controllerManager.annotations | indent 8 }}
{{- end }}
labels:
app: {{ template "fullname" . }}-controller-manager
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
Expand All @@ -32,8 +35,7 @@ spec:
image: {{ .Values.image }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
resources:
requests:
memory: 20Mi
{{ toYaml .Values.controllerManager.resources | indent 10 }}
env:
- name: K8S_NAMESPACE
valueFrom:
Expand All @@ -43,6 +45,7 @@ spec:
- controller-manager
- --secure-port
- "8444"
- "--cluster-id-configmap-namespace={{ .Release.Namespace }}"
{{ if .Values.controllerManager.leaderElection.activated -}}
- "--leader-election-namespace={{ .Release.Namespace }}"
- "--leader-elect-resource-lock=configmaps"
Expand Down Expand Up @@ -78,16 +81,21 @@ spec:
- --feature-gates
- AsyncBindingOperations=true
{{- end }}
{{- if .Values.namespacedServiceBrokerEnabled }}
{{- if .Values.catalogRestrictionsEnabled }}
- --feature-gates
- NamespacedServiceBroker=true
- CatalogRestrictions=true
{{- end }}
{{- if .Values.namespacedServiceBrokerDisabled }}
- --feature-gates
- NamespacedServiceBroker=false
{{- end }}
ports:
- containerPort: 8444
volumeMounts:
- name: service-catalog-cert
mountPath: /var/run/kubernetes-service-catalog
readOnly: true
{{- if .Values.controllerManager.healthcheck.enabled }}
readinessProbe:
httpGet:
port: 8444
Expand All @@ -108,6 +116,11 @@ spec:
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
{{- end }}
{{ if .Values.controllerManager.nodeSelector }}
nodeSelector:
{{ .Values.controllerManager.nodeSelector }}
{{ end }}
volumes:
- name: service-catalog-cert
secret:
Expand Down
48 changes: 47 additions & 1 deletion resources/core/charts/service-catalog/charts/catalog/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ items:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
# API-server service-account gets its own role
- apiVersion: {{template "rbacApiVersion" . }}
kind: ClusterRoleBinding
Expand Down Expand Up @@ -100,6 +106,20 @@ items:
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["clusterservicebrokers/status","clusterserviceclasses/status","clusterserviceplans/status","serviceinstances/status","serviceinstances/reference","servicebindings/status"]
verbs: ["update"]
{{- if not .Values.namespacedServiceBrokerDisabled }}
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["serviceclasses"]
verbs: ["get","list","watch","create","patch","update","delete"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["serviceplans"]
verbs: ["get","list","watch","create","patch","update","delete"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["servicebrokers"]
verbs: ["get","list","watch"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["servicebrokers/status","serviceclasses/status","serviceplans/status"]
verbs: ["update"]
{{- end }}
# give the controller-manager service account access to whats defined in its role.
- apiVersion: {{template "rbacApiVersion" . }}
kind: ClusterRoleBinding
Expand All @@ -115,6 +135,32 @@ items:
name: "{{ .Values.controllerManager.serviceAccount }}"
namespace: "{{ .Release.Namespace }}"

# This gives create/update access to configmaps
- apiVersion: {{template "rbacApiVersion" . }}
kind: Role
metadata:
name: "servicecatalog.k8s.io:cluster-info-configmap"
namespace: "{{ .Release.Namespace }}"
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["cluster-info"]
verbs: ["get","create","list","watch","update"]
- apiVersion: {{template "rbacApiVersion" . }}
kind: RoleBinding
metadata:
name: service-catalog-controller-manager-cluster-info
namespace: "{{ .Release.Namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "servicecatalog.k8s.io:cluster-info-configmap"
subjects:
- apiGroup: ""
kind: ServiceAccount
name: "{{ .Values.controllerManager.serviceAccount }}"
namespace: "{{ .Release.Namespace }}"

# This gives create/update access to configmaps in deployment namespace for leader election
- apiVersion: {{template "rbacApiVersion" . }}
kind: Role
Expand All @@ -132,7 +178,7 @@ items:
- apiVersion: {{template "rbacApiVersion" . }}
kind: RoleBinding
metadata:
name: service-catalog-controller-manager
name: service-catalog-controller-manager-leader-election
namespace: "{{ .Release.Namespace }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
Expand Down
38 changes: 35 additions & 3 deletions resources/core/charts/service-catalog/charts/catalog/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Default values for Service Catalog
# service-catalog image to use
image: quay.io/kubernetes-service-catalog/service-catalog:v0.1.11
image: quay.io/kubernetes-service-catalog/service-catalog:v0.1.28
# imagePullPolicy for the service-catalog; valid values are "IfNotPresent",
# "Never", and "Always"
imagePullPolicy: Always
Expand All @@ -10,6 +10,10 @@ useAggregator: true
##
rbacEnable: true
apiserver:
# annotations is a collection of annotations to add to the apiserver pods.
annotations: {}
# nodeSelector to apply to the apiserver pods
nodeSelector:
# PodPreset is an optional feature and can be enabled by uncommenting the line below
# featureGates: "PodPreset=true"
aggregator:
Expand All @@ -28,6 +32,9 @@ apiserver:
# https://github.com/kubernetes/kubernetes/blob/v1.7.0/staging/src/k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1/types.go#L56-L61
# for more information on proper values of this field
versionPriority: 20
# healthcheck configures the readiness and liveliness probes for the apiserver pod.
healthcheck:
enabled: true
tls:
# Base64-encoded CA used to validate request-header authentication, when
# receiving delegated authentication from an aggregator. If not set, the
Expand Down Expand Up @@ -79,7 +86,23 @@ apiserver:
serviceAccount: service-catalog-apiserver
# if true, makes the API server serve the OpenAPI schema (which is problematic with older versions of kubectl)
serveOpenAPISpec: false
# Apiserver resource requests and limits
# Ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
controllerManager:
# annotations is a collection of annotations to add to the controllerManager pod.
annotations: {}
# nodeSelector to apply to the controllerManager pods
nodeSelector:
# healthcheck configures the readiness and liveliness probes for the controllerManager pod.
healthcheck:
enabled: true
# Log level; valid values are in the range 0 - 10
verbosity: 1
# Resync interval; format is a duration (`20m`, `1h`, etc)
Expand All @@ -103,9 +126,18 @@ controllerManager:
apiserverSkipVerify: true
# Whether the controller will expose metrics on /metrics
enablePrometheusScrape: false
# Controller Manager resource requests and limits
# Ref: http://kubernetes.io/docs/user-guide/compute-resources/
resources:
requests:
cpu: 100m
memory: 20Mi
limits:
cpu: 100m
memory: 30Mi
# Whether the OriginatingIdentity alpha feature should be enabled
originatingIdentityEnabled: false
# Whether the AsyncBindingOperations alpha feature should be enabled
asyncBindingOperationsEnabled: false
# Whether the NamespacedServiceBroker alpha feature should be enabled
namespacedServiceBrokerEnabled: false
# Whether the NamespacedServiceBroker alpha feature should be disabled
namespacedServiceBrokerDisabled: false

0 comments on commit 3d9ba9e

Please sign in to comment.