From a7f2a9282d05084e875a82d8683ff26c5034d103 Mon Sep 17 00:00:00 2001 From: d-kuro Date: Mon, 9 Aug 2021 14:27:07 +0900 Subject: [PATCH] Add templates Signed-off-by: d-kuro --- charts/accurate/.helmignore | 23 +++++ charts/accurate/Chart.yaml | 24 +++++ .../accurate.cybozu.com_subnamespaces.yaml | 43 +++++++++ charts/accurate/templates/NOTES.txt | 0 charts/accurate/templates/_helpers.tpl | 62 ++++++++++++ charts/accurate/templates/certificate.yaml | 15 +++ charts/accurate/templates/clusterrole.yaml | 96 +++++++++++++++++++ .../templates/clusterrolebinding.yaml | 29 ++++++ charts/accurate/templates/configmap.yaml | 28 ++++++ charts/accurate/templates/deployment.yaml | 76 +++++++++++++++ charts/accurate/templates/issuer.yaml | 9 ++ .../mutatingwebhookconfiguration.yaml | 30 ++++++ charts/accurate/templates/role.yaml | 39 ++++++++ charts/accurate/templates/rolebinding.yaml | 15 +++ charts/accurate/templates/service.yaml | 14 +++ charts/accurate/templates/serviceaccount.yaml | 7 ++ .../validatingwebhookconfiguration.yaml | 52 ++++++++++ charts/accurate/values.yaml | 0 18 files changed, 562 insertions(+) create mode 100644 charts/accurate/.helmignore create mode 100644 charts/accurate/Chart.yaml create mode 100644 charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml create mode 100644 charts/accurate/templates/NOTES.txt create mode 100644 charts/accurate/templates/_helpers.tpl create mode 100644 charts/accurate/templates/certificate.yaml create mode 100644 charts/accurate/templates/clusterrole.yaml create mode 100644 charts/accurate/templates/clusterrolebinding.yaml create mode 100644 charts/accurate/templates/configmap.yaml create mode 100644 charts/accurate/templates/deployment.yaml create mode 100644 charts/accurate/templates/issuer.yaml create mode 100644 charts/accurate/templates/mutatingwebhookconfiguration.yaml create mode 100644 charts/accurate/templates/role.yaml create mode 100644 charts/accurate/templates/rolebinding.yaml create mode 100644 charts/accurate/templates/service.yaml create mode 100644 charts/accurate/templates/serviceaccount.yaml create mode 100644 charts/accurate/templates/validatingwebhookconfiguration.yaml create mode 100644 charts/accurate/values.yaml diff --git a/charts/accurate/.helmignore b/charts/accurate/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/accurate/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/accurate/Chart.yaml b/charts/accurate/Chart.yaml new file mode 100644 index 0000000..f726041 --- /dev/null +++ b/charts/accurate/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: accurate +description: Accurate is a Kubernetes controller for soft multi-tenancy environments. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: 0.1.0 diff --git a/charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml b/charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml new file mode 100644 index 0000000..f179c4e --- /dev/null +++ b/charts/accurate/crds/accurate.cybozu.com_subnamespaces.yaml @@ -0,0 +1,43 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.6.1 + labels: + app.kubernetes.io/name: accurate + name: subnamespaces.accurate.cybozu.com +spec: + group: accurate.cybozu.com + names: + kind: SubNamespace + listKind: SubNamespaceList + plural: subnamespaces + singular: subnamespace + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: SubNamespace is the Schema for the subnamespaces API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.' + type: string + metadata: + type: object + status: + description: Status is the status of SubNamespace. + enum: + - ok + - conflict + type: string + type: object + served: true + storage: true diff --git a/charts/accurate/templates/NOTES.txt b/charts/accurate/templates/NOTES.txt new file mode 100644 index 0000000..e69de29 diff --git a/charts/accurate/templates/_helpers.tpl b/charts/accurate/templates/_helpers.tpl new file mode 100644 index 0000000..cf3974e --- /dev/null +++ b/charts/accurate/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "accurate.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "accurate.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "accurate.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "accurate.labels" -}} +helm.sh/chart: {{ include "accurate.chart" . }} +{{ include "accurate.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "accurate.selectorLabels" -}} +app.kubernetes.io/name: {{ include "accurate.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "accurate.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "accurate.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/accurate/templates/certificate.yaml b/charts/accurate/templates/certificate.yaml new file mode 100644 index 0000000..f7fa110 --- /dev/null +++ b/charts/accurate/templates/certificate.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ template "accurate.fullname" . }}-serving-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "accurate.labels" . | nindent 4 }} +spec: + dnsNames: + - {{ template "accurate.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc + - {{ template "accurate.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ template "accurate.fullname" . }}-selfsigned-issuer + secretName: {{ template "accurate.fullname" . }}-webhook-server-cert diff --git a/charts/accurate/templates/clusterrole.yaml b/charts/accurate/templates/clusterrole.yaml new file mode 100644 index 0000000..b02ec8b --- /dev/null +++ b/charts/accurate/templates/clusterrole.yaml @@ -0,0 +1,96 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "accurate.fullname" . }}-manager-role + labels: + {{- include "accurate.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces/finalizers + verbs: + - update + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "accurate.fullname" . }}-subnamespace-editor-role + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + {{- include "accurate.labels" . | nindent 4 }} +rules: + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces/status + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "accurate.fullname" . }}-subnamespace-viewer-role + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + {{- include "accurate.labels" . | nindent 4 }} +rules: + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces + verbs: + - get + - list + - watch + - apiGroups: + - accurate.cybozu.com + resources: + - subnamespaces/status + verbs: + - get diff --git a/charts/accurate/templates/clusterrolebinding.yaml b/charts/accurate/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..85defca --- /dev/null +++ b/charts/accurate/templates/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "accurate.fullname" . }}-manager-admin + labels: + {{- include "accurate.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: + - kind: ServiceAccount + name: {{ template "accurate.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "accurate.fullname" . }}-manager-rolebinding + labels: + {{- include "accurate.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "accurate.fullname" . }}-manager-role +subjects: + - kind: ServiceAccount + name: {{ template "accurate.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} diff --git a/charts/accurate/templates/configmap.yaml b/charts/accurate/templates/configmap.yaml new file mode 100644 index 0000000..3210b34 --- /dev/null +++ b/charts/accurate/templates/configmap.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "accurate.fullname" . }}-config + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + # Labels to be propagated to sub-namespaces. + labelKeys: + - team + + # Annotations to be propagated to sub-namespaces. + annotationKeys: + # An example to propagate an annotation for MetalLB + # https://metallb.universe.tf/usage/#requesting-specific-ips + - metallb.universe.tf/address-pool + + # List of GVK for namespace-scoped resources that can be propagated. + # Any namespace-scoped resource is allowed. + watches: + - group: rbac.authorization.k8s.io + version: v1 + kind: Role + - group: rbac.authorization.k8s.io + version: v1 + kind: RoleBinding + - version: v1 + kind: Secret diff --git a/charts/accurate/templates/deployment.yaml b/charts/accurate/templates/deployment.yaml new file mode 100644 index 0000000..7e4340f --- /dev/null +++ b/charts/accurate/templates/deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "accurate.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: controller + {{- include "accurate.labels" . | nindent 4 }} +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: accurate + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/name: accurate + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + containers: + - env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/cybozu-go/accurate:0.1.0 + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 8081 + name: health + protocol: TCP + - containerPort: 8080 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - mountPath: /etc/accurate + name: config + securityContext: + runAsNonRoot: true + serviceAccountName: {{ template "accurate.fullname" . }}-controller-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ template "accurate.fullname" . }}-webhook-server-cert + - configMap: + name: {{ template "accurate.fullname" . }}-config + name: config diff --git a/charts/accurate/templates/issuer.yaml b/charts/accurate/templates/issuer.yaml new file mode 100644 index 0000000..e329647 --- /dev/null +++ b/charts/accurate/templates/issuer.yaml @@ -0,0 +1,9 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ template "accurate.fullname" . }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} + labels: + {{- include "accurate.labels" . | nindent 4 }} +spec: + selfSigned: {} diff --git a/charts/accurate/templates/mutatingwebhookconfiguration.yaml b/charts/accurate/templates/mutatingwebhookconfiguration.yaml new file mode 100644 index 0000000..5fadbfd --- /dev/null +++ b/charts/accurate/templates/mutatingwebhookconfiguration.yaml @@ -0,0 +1,30 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "accurate.fullname" . }}-mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "accurate.fullname" . }}-serving-cert + labels: + {{- include "accurate.labels" . | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ template "accurate.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-accurate-cybozu-com-v1-subnamespace + failurePolicy: Fail + name: msubnamespace.kb.io + rules: + - apiGroups: + - accurate.cybozu.com + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - subnamespaces + sideEffects: None diff --git a/charts/accurate/templates/role.yaml b/charts/accurate/templates/role.yaml new file mode 100644 index 0000000..9784afc --- /dev/null +++ b/charts/accurate/templates/role.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "accurate.fullname" . }}-leader-election-role + namespace: {{ .Release.Namespace }} + labels: + {{- include "accurate.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/charts/accurate/templates/rolebinding.yaml b/charts/accurate/templates/rolebinding.yaml new file mode 100644 index 0000000..37daf46 --- /dev/null +++ b/charts/accurate/templates/rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "accurate.fullname" . }}-leader-election-rolebinding + namespace: {{ .Release.Namespace }} + labels: + {{- include "accurate.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "accurate.fullname" . }}-leader-election-role +subjects: + - kind: ServiceAccount + name: {{ template "accurate.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} diff --git a/charts/accurate/templates/service.yaml b/charts/accurate/templates/service.yaml new file mode 100644 index 0000000..22302a7 --- /dev/null +++ b/charts/accurate/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "accurate.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + labels: + {{- include "accurate.labels" . | nindent 4 }} +spec: + ports: + - port: 443 + targetPort: webhook-server + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/name: accurate diff --git a/charts/accurate/templates/serviceaccount.yaml b/charts/accurate/templates/serviceaccount.yaml new file mode 100644 index 0000000..6aa9787 --- /dev/null +++ b/charts/accurate/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "accurate.fullname" . }}-controller-manager + namespace: {{ .Release.Namespace }} + labels: + {{- include "accurate.labels" . | nindent 4 }} diff --git a/charts/accurate/templates/validatingwebhookconfiguration.yaml b/charts/accurate/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000..0c44372 --- /dev/null +++ b/charts/accurate/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,52 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "accurate.fullname" . }}-validating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ template "accurate.fullname" . }}-serving-cert + labels: + {{- include "accurate.labels" . | nindent 4 }} +webhooks: + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ template "accurate.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-v1-namespace + failurePolicy: Fail + name: vnamespace.kb.io + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - namespaces + sideEffects: None + - admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: {{ template "accurate.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-accurate-cybozu-com-v1-subnamespace + failurePolicy: Fail + name: vsubnamespace.kb.io + rules: + - apiGroups: + - accurate.cybozu.com + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - subnamespaces + sideEffects: None diff --git a/charts/accurate/values.yaml b/charts/accurate/values.yaml new file mode 100644 index 0000000..e69de29