Skip to content
This repository has been archived by the owner on Feb 22, 2022. It is now read-only.

[incubator/rundeck] envSecret, awsConfigSecret, kubeConfigSecret, extraConfigSecret, nginx req size #23004

Merged
merged 2 commits into from
Jul 3, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions incubator/rundeck/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v1
description: A Rundeck chart for Kubernetes
name: rundeck
home: https://github.com/rundeck/rundeck
version: 0.2.1
appVersion: 3.2.7
version: 0.3.0
appVersion: 3.2.8
keywords:
- rundeck
- jobs
Expand Down
84 changes: 83 additions & 1 deletion incubator/rundeck/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,11 @@ ingress | Any ingress rules to apply. | None
resources | Any resource constraints to apply. | None
rundeck.adminUser | The config to set up the admin user that should be placed at the realm.properties file. | "admin:admin,user,admin,architect,deploy,build"
rundeck.env | The rundeck environment variables that you would want to set | Default variables provided in docker file
rundeck.envSecret | Name of secret containing environment variables to add to the Rundeck deployment | ""
rundeck.sshSecrets | A reference to the Kubernetes Secret that contains the ssh keys. | ""
rundeck.awsCredentialsSecret | A reference to the Kubernetes Secret that contains the aws credentials. | ""
rundeck.awsConfigSecret | Name of secret to mount under the `~/.aws/` directory. Useful when AWS IRSA is not an option. | ""
rundeck.kubeConfigSecret | Name of secret to mount under the `~/.kube/` directory. Useful when Rundeck needs configuration for multiple K8s clusters. | ""
rundeck.extraConfigSecret | Name of secret containing additional files to mount at `~/extra/`. Can be useful for working with RUNDECK_TOKENS_FILE configuration | ""
nginxConfOverride | An optional multi-line value that can replace the default nginx.conf. | ""
persistence.enabled | Whether or not to attach persistent storage to the Rundeck pod | false
persistence.claim.create | Whether the helm chart should create a persistent volume claim. See the values.yaml for more claim options | false
Expand All @@ -36,3 +39,82 @@ persistence.existingClaim | Name of an existing volume claim | None
serviceAccount.create | Set to true to create a service account for the Rundeck pod | false
serviceAccount.annotations | A map of annotations to attach to the service account (eg: AWS IRSA) | {}
serviceAccount.name | Name of the service account the Rundeck pod should use | ""

## AWS & K8s Permissions

If Rundeck jobs need access to the AWS or Kubernetes APIs this chart provides a couple options.

### AWS IRSA
If running Rundeck in AWS on EKS, [AWS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html) can be used to grant Rundeck IAM permissions by adding the appropriate annotation at `serviceAccount.annotations` (see `./values.yaml` for example). This can also be used to grant access to other EKS K8s APIs by adding the proper role bindings in those clusters that reference the IAM user.

### AWS & K8s
The `rundeck.awsConfigSecret` and `rundeck.kubeConfigSecret` keys allow for mounting additional configuration for AWS and Kubernetes tools and SDKs. The secrets are mounted into their respective configuration directories under the Rundeck users's home directory.

For example, you can create a secret containing kubeconfig file content that can be used to configure authentication to another remote cluster via the AWS IAM authenticator. Combine this with an AWS IRSA annotation on the Rundeck service account and you can configure Rundeck to auth to multiple EKS clusters' APIs accross multiple AWS accounts without ever needing to manage AWS IAM API keys or K8s credentials.
```yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: rundeck-kube-config
namespace: rundeck
stringData:
config: |-
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJ[YOUR_CLUSTER_CA_INFO]tLQo=
server: https://[your_eks_server_id].sk1.us-west-2.eks.amazonaws.com
name: staging
contexts:
- context:
cluster: staging
user: admin
namespace: default
name: stating
current-context: staging
preferences: {}
users:
- name: admin
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- staging
command: aws-iam-authenticator
```

Note that the Rundeck Docker image does not currently include the [Kubernetes plugin](https://github.com/rundeck-plugins/kubernetes) nor the `aws-iam-authenticator`, `kubectl`, and `aws` command line tools. All of these may be added to the Rundeck image by extending the Dockerfile with additional install steps.

An example Dockerfile that adds the Rundeck k8s module and needed CLI tools:
```Dockerfile
ARG RUNDECK_IMAGE
FROM ${RUNDECK_IMAGE:-rundeck/rundeck:3.2.6-20200427}

# Kubernetes support
USER root
RUN apt-get update && sudo apt-get install -y apt-transport-https gnupg2
RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
RUN echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list
RUN apt-get update && apt-get install -y \
kubectl \
apt-transport-https \
gnupg2 \
python3-pip \
awscli \
&& rm -rf /var/lib/apt/lists/*
RUN pip3 install kubernetes requests==2.22.0
RUN ln -s /usr/bin/python3 /usr/bin/python

# Install aws-iam-authenticator
RUN curl -o aws-iam-authenticator \
https://amazon-eks.s3.us-west-2.amazonaws.com/1.16.8/2020-04-16/bin/linux/amd64/aws-iam-authenticator && \
chmod +x ./aws-iam-authenticator && \
mv aws-iam-authenticator /usr/local/bin

USER rundeck
ADD --chown=rundeck:root https://github.com/rundeck-plugins/kubernetes/releases/download/1.0.15/kubernetes-plugin-1.0.15.zip ./libext/
```
1 change: 1 addition & 0 deletions incubator/rundeck/files/nginx/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ http {
}
location / {
recursive_error_pages on;
client_max_body_size 50M; # upload archives (backup/restore)
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header User-Agent $http_user_agent;
Expand Down
31 changes: 26 additions & 5 deletions incubator/rundeck/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,7 @@ spec:
# This will restart the rundeck pod if its environment configuration is updated by helm
checksum/config: {{ include (print $.Template.BasePath "/rundeck-environment-configmap.yaml") . | sha256sum }}
{{- with .Values.deployment.annotations }}
annotations:
{{- toYaml . | nindent 10 }}
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "rundeck.name" . }}
Expand Down Expand Up @@ -63,6 +62,10 @@ spec:
envFrom:
- configMapRef:
name: {{ .Release.Name }}-environment-configmap
{{- if .Values.rundeck.envSecret }}
- secretRef:
name: {{ .Values.rundeck.envSecret }}
{{- end }}
env:
- name: RUNDECK_GRAILS_URL
value: {{ .Values.rundeck.env.RUNDECK_GRAILS_URL }}
Expand All @@ -78,9 +81,17 @@ spec:
mountPath: /home/rundeck/.ssh
readOnly: true
{{- end }}
{{- if .Values.rundeck.awsCredentialsSecret }}
- name: aws-credentials
mountPath: /home/rundeck/.aws/credentials
{{- if .Values.rundeck.awsConfigSecret }}
- name: aws-config
mountPath: /home/rundeck/.aws/
{{- end }}
{{- if .Values.rundeck.kubeConfigSecret }}
- name: kube-config
mountPath: /home/rundeck/.kube/
{{- end }}
{{- if .Values.rundeck.extraConfigSecret }}
- name: extra-config
mountPath: /home/rundeck/extra/
{{- end }}
ports:
- name: rundeck
Expand Down Expand Up @@ -135,6 +146,16 @@ spec:
secret:
secretName: {{ .Values.rundeck.awsCredentialsSecret}}
{{- end }}
{{- if .Values.rundeck.kubeConfigSecret }}
- name: kube-config
secret:
secretName: {{ .Values.rundeck.kubeConfigSecret}}
{{- end }}
{{- if .Values.rundeck.extraConfigSecret }}
- name: extra-config
secret:
secretName: {{ .Values.rundeck.extraConfigSecret}}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
18 changes: 17 additions & 1 deletion incubator/rundeck/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,24 @@ rundeck:
# RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_REGION: ${RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_REGION}
# RUNDECK_STORAGE_CONVERTER_1_CONFIG_PASSWORD: ${RUNDECK_STORAGE_PASSWORD}
# RUNDECK_CONFIG_STORAGE_CONVERTER_1_CONFIG_PASSWORD: ${RUNDECK_STORAGE_PASSWORD}
# RUNDECK_TOKENS_FILE: /home/rundeck/extra/tokens.properties

# Name of the secret containing SSH files to mount under ~/.ssh
# sshSecrets: "ssh-secret"
awsCredentialsSecret: ""

# Name of secret containing to mount under ~/.aws/
# awsConfigSecret: "aws-secret"

# Name of secret to mount under ~/.kube/
# kubeConfigSecret: "kube-secret"

# Name of secret containing additional sensitive Runtime environment variables (eg: RUNDECK_DATABASE_PASSWORD)
# See https://hub.docker.com/r/rundeck/rundeck/
# envSecret: "env-secret"

# Name of secret containing additional files to mount into Rundeck's ~/extra directory.
# This can be useful for populating a file you reference with RUNDECK_TOKENS_FILE above.
# extraConfigSecret: "extra-secret"

nameOverride: ""
fullnameOverride: ""
Expand Down