Merge pull request #624 from cliveseldon/gcp_marketplace

Registry Image Tags and RBAC control for Operator Helm Chart

helm-charts/seldon-core-operator/templates/controller.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.rbac.roleBinding }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -167,16 +168,16 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  creationTimestamp: null
   name: seldon-operator-manager-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: seldon-operator-manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
-  namespace: {{ .Release.Namespace }}  
+  name: {{ .Values.rbac.serviceAccount }}  
+  namespace: {{ .Release.Namespace }}
+{{- end }}    
 ---
 apiVersion: v1
 kind: Secret
@@ -221,6 +222,7 @@ spec:
         control-plane: controller-manager
         controller-tools.k8s.io: "1.0"
     spec:
+      serviceAccountName: {{ .Values.rbac.serviceAccount }}
       containers:
       - command:
         - /manager
@@ -236,7 +238,7 @@ spec:
         - name: AMBASSADOR_SINGLE_NAMESPACE
           value: '{{ .Values.ambassador.singleNamespace }}'
         - name: ENGINE_CONTAINER_IMAGE_AND_VERSION
-          value: {{ .Values.engine.image.repository }}:{{ .Values.engine.image.tag }}
+          value: {{ .Values.engine.image.registry }}/{{ .Values.engine.image.repository }}:{{ .Values.engine.image.tag }}
         - name: ENGINE_CONTAINER_IMAGE_PULL_POLICY
           value: {{ .Values.engine.image.pullPolicy }}
         - name: ENGINE_CONTAINER_SERVICE_ACCOUNT_NAME
@@ -257,7 +259,7 @@ spec:
           value: '{{ .Values.istio.enabled }}'
         - name: ISTIO_GATEWAY
           value: '{{ .Values.istio.gateway }}'
-        image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+        image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         name: manager
         ports:

helm-charts/seldon-core-operator/templates/spartakus-config-map.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.usageMetrics.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: seldon-spartakus-config
+  namespace: kube-system
+data:
+  spartakus.volunteer.clusterid: {{ default uuidv4 .Values.usageMetrics.clusterid }}
+  spartakus.volunteer.database: {{ .Values.usageMetrics.database }}
+  spartakus.volunteer.extensions: '{"seldon-core-version":"{{ .Chart.Version }}"}'
+{{- end }}

helm-charts/seldon-core-operator/templates/spartakus-rbac.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.usageMetrics.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: seldon-spartakus-volunteer
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: seldon-spartakus-volunteer
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: seldon-spartakus-volunteer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: seldon-spartakus-volunteer
+subjects:
+- kind: ServiceAccount
+  name: seldon-spartakus-volunteer
+  namespace: kube-system
+{{- end }}
+

helm-charts/seldon-core-operator/templates/spartakus-volunteer-deployment.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.usageMetrics.enabled }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: seldon-spartakus-volunteer
+  namespace: kube-system
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: seldon-spartakus-volunteer
+    spec:
+      containers:
+      - args:
+        - volunteer
+        - --cluster-id=$(SPARTAKUS_VOLUNTEER_CLUSTERID)
+        - --database=$(SPARTAKUS_VOLUNTEER_DATABASE)
+        - --extensions=/etc/config/spartakus.volunteer.extensions
+        env:
+        - name: SPARTAKUS_VOLUNTEER_CLUSTERID
+          valueFrom:
+            configMapKeyRef:
+              key: spartakus.volunteer.clusterid
+              name: seldon-spartakus-config
+        - name: SPARTAKUS_VOLUNTEER_DATABASE
+          valueFrom:
+            configMapKeyRef:
+              key: spartakus.volunteer.database
+              name: seldon-spartakus-config
+        image: gcr.io/google_containers/spartakus-amd64:v1.1.0
+        name: seldon-spartakus-volunteer
+        volumeMounts:
+        - mountPath: /etc/config
+          name: seldon-spartakus-config-volume
+      serviceAccountName: seldon-spartakus-volunteer
+      volumes:
+      - configMap:
+          name: seldon-spartakus-config
+        name: seldon-spartakus-config-volume
+{{- end }}

helm-charts/seldon-core-operator/values.yaml

@@ -6,6 +6,7 @@ engine:
     port: 5001
   image:
     pullPolicy: IfNotPresent
+    registry: docker.io    
     repository: seldonio/engine
     tag: 0.3.1-SNAPSHOT
   port: 8000
@@ -17,7 +18,8 @@ engine:
     name: default
   user: 8888
 image:
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
+  registry: docker.io
   repository: seldonio/seldon-core-operator
   tag: 0.3.1-SNAPSHOT
 istio:
@@ -26,7 +28,8 @@ istio:
 predictiveUnit:
   port: 9000
 rbac:
-  enabled: true
+  roleBinding: true
+  serviceAccount: default
 usageMetrics:
   database: http://seldon-core-stats.seldon.io
   enabled: false