From 604af0d5fc920a7bd8fbfd9875fda48494e2e390 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sat, 25 May 2019 03:13:10 -0700 Subject: [PATCH] Move chart & deploy scripts to github.com/stashed/installer (#811) Signed-off-by: Tamal Saha --- chart/stash/.helmignore | 23 - chart/stash/Chart.yaml | 12 - chart/stash/OWNERS | 5 - chart/stash/README.md | 95 --- chart/stash/templates/NOTES.txt | 3 - chart/stash/templates/_helpers.tpl | 38 -- chart/stash/templates/apiregistration.yaml | 116 ---- chart/stash/templates/backup-job-psp.yaml | 22 - chart/stash/templates/backup-job-scc.yaml | 32 - .../templates/backupsession-cron-psp.yaml | 22 - .../templates/backupsession-cron-scc.yaml | 32 - chart/stash/templates/cleaner.yaml | 28 - .../stash/templates/cluster-role-binding.yaml | 14 - chart/stash/templates/cluster-role.yaml | 122 ---- chart/stash/templates/deployment.yaml | 134 ----- chart/stash/templates/mutating-webhook.yaml | 143 ----- chart/stash/templates/operator-psp.yaml | 22 - chart/stash/templates/operator-scc.yaml | 33 -- chart/stash/templates/restore-job-psp.yaml | 21 - chart/stash/templates/restore-job-scc.yaml | 32 - chart/stash/templates/service-account.yaml | 9 - chart/stash/templates/service.yaml | 35 -- chart/stash/templates/servicemonitor.yaml | 37 -- chart/stash/templates/user-roles.yaml | 46 -- chart/stash/templates/validating-webhook.yaml | 99 ---- chart/stash/values.yaml | 113 ---- hack/deploy/apiservices.yaml | 50 -- hack/deploy/monitor/apiserver-cert.yaml | 12 - .../deploy/monitor/servicemonitor-backup.yaml | 17 - .../monitor/servicemonitor-operator.yaml | 21 - hack/deploy/monitor/servicemonitor.yaml | 23 - hack/deploy/mutating-webhook.yaml | 123 ---- hack/deploy/operator.yaml | 128 ---- hack/deploy/psp/backup-job.yaml | 22 - hack/deploy/psp/backupsession-cron.yaml | 22 - hack/deploy/psp/operator.yaml | 22 - hack/deploy/psp/restore-job.yaml | 21 - hack/deploy/rbac-list.yaml | 173 ------ hack/deploy/run-on-master.yaml | 12 - hack/deploy/scc/backup-job.yaml | 30 - hack/deploy/scc/backupsession-cron.yaml | 30 - hack/deploy/scc/operator.yaml | 31 - hack/deploy/scc/restore-job.yaml | 30 - hack/deploy/service-account.yaml | 7 - hack/deploy/stash.sh | 550 ------------------ hack/deploy/user-roles.yaml | 40 -- hack/deploy/validating-webhook.yaml | 83 --- 47 files changed, 2735 deletions(-) delete mode 100644 chart/stash/.helmignore delete mode 100755 chart/stash/Chart.yaml delete mode 100644 chart/stash/OWNERS delete mode 100644 chart/stash/README.md delete mode 100644 chart/stash/templates/NOTES.txt delete mode 100644 chart/stash/templates/_helpers.tpl delete mode 100644 chart/stash/templates/apiregistration.yaml delete mode 100644 chart/stash/templates/backup-job-psp.yaml delete mode 100644 chart/stash/templates/backup-job-scc.yaml delete mode 100644 chart/stash/templates/backupsession-cron-psp.yaml delete mode 100644 chart/stash/templates/backupsession-cron-scc.yaml delete mode 100644 chart/stash/templates/cleaner.yaml delete mode 100644 chart/stash/templates/cluster-role-binding.yaml delete mode 100644 chart/stash/templates/cluster-role.yaml delete mode 100644 chart/stash/templates/deployment.yaml delete mode 100644 chart/stash/templates/mutating-webhook.yaml delete mode 100644 chart/stash/templates/operator-psp.yaml delete mode 100644 chart/stash/templates/operator-scc.yaml delete mode 100644 chart/stash/templates/restore-job-psp.yaml delete mode 100644 chart/stash/templates/restore-job-scc.yaml delete mode 100644 chart/stash/templates/service-account.yaml delete mode 100644 chart/stash/templates/service.yaml delete mode 100644 chart/stash/templates/servicemonitor.yaml delete mode 100644 chart/stash/templates/user-roles.yaml delete mode 100644 chart/stash/templates/validating-webhook.yaml delete mode 100644 chart/stash/values.yaml delete mode 100644 hack/deploy/apiservices.yaml delete mode 100644 hack/deploy/monitor/apiserver-cert.yaml delete mode 100644 hack/deploy/monitor/servicemonitor-backup.yaml delete mode 100644 hack/deploy/monitor/servicemonitor-operator.yaml delete mode 100644 hack/deploy/monitor/servicemonitor.yaml delete mode 100644 hack/deploy/mutating-webhook.yaml delete mode 100644 hack/deploy/operator.yaml delete mode 100644 hack/deploy/psp/backup-job.yaml delete mode 100644 hack/deploy/psp/backupsession-cron.yaml delete mode 100644 hack/deploy/psp/operator.yaml delete mode 100644 hack/deploy/psp/restore-job.yaml delete mode 100644 hack/deploy/rbac-list.yaml delete mode 100644 hack/deploy/run-on-master.yaml delete mode 100644 hack/deploy/scc/backup-job.yaml delete mode 100644 hack/deploy/scc/backupsession-cron.yaml delete mode 100644 hack/deploy/scc/operator.yaml delete mode 100644 hack/deploy/scc/restore-job.yaml delete mode 100644 hack/deploy/service-account.yaml delete mode 100755 hack/deploy/stash.sh delete mode 100644 hack/deploy/user-roles.yaml delete mode 100644 hack/deploy/validating-webhook.yaml diff --git a/chart/stash/.helmignore b/chart/stash/.helmignore deleted file mode 100644 index be86b789d..000000000 --- a/chart/stash/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -# Helm files -OWNERS diff --git a/chart/stash/Chart.yaml b/chart/stash/Chart.yaml deleted file mode 100755 index 909ba5bf2..000000000 --- a/chart/stash/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -description: 'Stash by AppsCode - Backup your Kubernetes Volumes' -name: stash -version: 0.8.3 -appVersion: 0.8.3 -home: https://github.com/stashed/stash -icon: https://cdn.appscode.com/images/icon/stash.png -sources: - - https://github.com/stashed/stash -maintainers: - - name: appscode - email: support@appscode.com diff --git a/chart/stash/OWNERS b/chart/stash/OWNERS deleted file mode 100644 index 6731d355c..000000000 --- a/chart/stash/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -approvers: -- tamalsaha -reviewers: -- tamalsaha - diff --git a/chart/stash/README.md b/chart/stash/README.md deleted file mode 100644 index 8cd06729c..000000000 --- a/chart/stash/README.md +++ /dev/null @@ -1,95 +0,0 @@ -# Stash -[Stash by AppsCode](https://github.com/stashed/stash) - Backup your Kubernetes Volumes -## TL;DR; - -```console -$ helm repo add appscode https://charts.appscode.com/stable/ -$ helm repo update -$ helm install appscode/stash --name stash-operator --namespace kube-system -``` - -## Introduction - -This chart bootstraps a [Stash controller](https://github.com/stashed/stash) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - -- Kubernetes 1.8+ - -## Installing the Chart -To install the chart with the release name `stash-operator`: -```console -$ helm install appscode/stash --name stash-operator -``` -The command deploys Stash operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `stash-operator`: - -```console -$ helm delete stash-operator -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Configuration - -The following table lists the configurable parameters of the Stash chart and their default values. - - -| Parameter | Description | Default | -| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | -| `replicaCount` | Number of stash operator replicas to create (only 1 is supported) | `1` | -| `operator.registry` | Docker registry used to pull operator image | `appscode` | -| `operator.repository` | operator container image | `stash` | -| `operator.tag` | operator container image tag | `0.8.3` | -| `pushgateway.registry` | Docker registry used to pull Prometheus pushgateway image | `prom` | -| `pushgateway.repository` | Prometheus pushgateway container image | `pushgateway` | -| `pushgateway.tag` | Prometheus pushgateway container image tag | `v0.5.2` | -| `cleaner.registry` | Docker registry used to pull Webhook cleaner image | `appscode` | -| `cleaner.repository` | Webhook cleaner container image | `kubectl` | -| `cleaner.tag` | Webhook cleaner container image tag | `v1.11` | -| `imagePullPolicy` | container image pull policy | `IfNotPresent` | -| `criticalAddon` | If true, installs Stash operator as critical addon | `false` | -| `logLevel` | Log level for operator | `3` | -| `affinity` | Affinity rules for pod assignment | `{}` | -| `annotations` | Annotations applied to operator pod(s) | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Tolerations used pod assignment | `{}` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | `` | -| `apiserver.groupPriorityMinimum` | The minimum priority the group should have. | 10000 | -| `apiserver.versionPriority` | The ordering of this API inside of the group. | 15 | -| `apiserver.enableValidatingWebhook` | Enable validating webhooks for Stash CRDs | true | -| `apiserver.enableMutatingWebhook` | Enable mutating webhooks for Kubernetes workloads | true | -| `apiserver.ca` | CA certificate used by main Kubernetes api server | `not-ca-cert` | -| `apiserver.disableStatusSubresource` | If true, disables status sub resource for crds. Otherwise enables based on Kubernetes version | `false` | -| `apiserver.bypassValidatingWebhookXray` | If true, bypasses validating webhook xray checks | `false` | -| `apiserver.useKubeapiserverFqdnForAks` | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 | `true` | -| `apiserver.healthcheck.enabled` | Enable readiness and liveliness probes | `true` | -| `enableAnalytics` | Send usage events to Google Analytics | `true` | -| `monitoring.agent` | Specify which monitoring agent to use for monitoring Stash. It accepts either `prometheus.io/builtin` or `prometheus.io/coreos-operator`. | `none` | -| `monitoring.backup` | Specify whether to monitor Stash backup and recovery. | `false` | -| `monitoring.operator` | Specify whether to monitor Stash operator. | `false` | -| `monitoring.prometheus.namespace` | Specify the namespace where Prometheus server is running or will be deployed. | Release namespace | -| `monitoring.serviceMonitor.labels` | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/coreos-operator`. | `app: ` and `release: ` | -| `additionalPodSecurityPolicies` | Additional psp names passed to operator | `[]` | -| `platform.openshift` | Name of platform (eg: Openshift, AKS, EKS, GKE, etc.) | `false` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: - -```console -$ helm install --name stash-operator --set image.tag=v0.2.1 appscode/stash -``` - -Alternatively, a YAML file that specifies the values for the parameters can be provided while -installing the chart. For example: - -```console -$ helm install --name stash-operator --values values.yaml appscode/stash -``` - - diff --git a/chart/stash/templates/NOTES.txt b/chart/stash/templates/NOTES.txt deleted file mode 100644 index b7fe933c9..000000000 --- a/chart/stash/templates/NOTES.txt +++ /dev/null @@ -1,3 +0,0 @@ -To verify that Stash has started, run: - - kubectl --namespace={{ .Release.Namespace }} get deployments -l "release={{ .Release.Name }}, app={{ template "stash.name" . }}" diff --git a/chart/stash/templates/_helpers.tpl b/chart/stash/templates/_helpers.tpl deleted file mode 100644 index 894b22ff2..000000000 --- a/chart/stash/templates/_helpers.tpl +++ /dev/null @@ -1,38 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "stash.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "stash.fullname" -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "stash.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "stash.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{- define "stash.labels" -}} -chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" -app: "{{ template "stash.name" . }}" -release: {{ .Release.Name | quote}} -heritage: "{{ .Release.Service }}" -{{- end -}} diff --git a/chart/stash/templates/apiregistration.yaml b/chart/stash/templates/apiregistration.yaml deleted file mode 100644 index 81264bc0e..000000000 --- a/chart/stash/templates/apiregistration.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{{- $ca := genCA "ca" 3650 }} -{{- $cn := include "stash.fullname" . -}} -{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }} -{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }} -{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} -{{- if or .Values.apiserver.enableMutatingWebhook .Values.apiserver.enableValidatingWebhook }} -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1alpha1.admission.stash.appscode.com - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - group: admission.stash.appscode.com - version: v1alpha1 - service: - namespace: {{ .Release.Namespace }} - name: {{ template "stash.fullname" . }} - caBundle: {{ b64enc $ca.Cert }} - groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }} - versionPriority: {{ .Values.apiserver.versionPriority }} ---- -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1beta1.admission.stash.appscode.com - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - group: admission.stash.appscode.com - version: v1beta1 - service: - namespace: {{ .Release.Namespace }} - name: {{ template "stash.fullname" . }} - caBundle: {{ b64enc $ca.Cert }} - groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }} - versionPriority: {{ .Values.apiserver.versionPriority }} ---- -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1alpha1.repositories.stash.appscode.com - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - group: repositories.stash.appscode.com - version: v1alpha1 - service: - namespace: {{ .Release.Namespace }} - name: {{ template "stash.fullname" . }} - caBundle: {{ b64enc $ca.Cert }} - groupPriorityMinimum: {{ .Values.apiserver.groupPriorityMinimum }} - versionPriority: {{ .Values.apiserver.versionPriority }} -{{ end }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "stash.fullname" . }}-apiserver-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "stash.labels" . | nindent 4 }} -type: Opaque -data: - tls.crt: {{ b64enc $cert.Cert }} - tls.key: {{ b64enc $cert.Key }} ---- -{{ $promNamespace:= default .Release.Namespace .Values.monitoring.prometheus.namespace }} -{{- if (and (ne $promNamespace .Release.Namespace) .Values.monitoring.operator) }} -# if operator monitoring is enabled and prometheus namespace is different than operator -# create the above secret in prometheus namespace too. -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "stash.fullname" . }}-apiserver-cert - namespace: {{ $promNamespace }} - labels: - {{- include "stash.labels" . | nindent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ b64enc $cert.Cert }} - tls.key: {{ b64enc $cert.Key }} ---- -{{- end }} -# to read the config for terminating authentication -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "stash.fullname" . }}-apiserver-extension-server-authentication-reader - namespace: kube-system - labels: - {{- include "stash.labels" . | nindent 4 }} -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: {{ template "stash.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- -# to delegate authentication and authorization -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "stash.fullname" . }}-apiserver-auth-delegator - labels: - {{- include "stash.labels" . | nindent 4 }} -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: {{ template "stash.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} diff --git a/chart/stash/templates/backup-job-psp.yaml b/chart/stash/templates/backup-job-psp.yaml deleted file mode 100644 index bd007e4c0..000000000 --- a/chart/stash/templates/backup-job-psp.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-backup-job - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - "*" # backup job need to access all types of volume as user may backup any types of volume - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/chart/stash/templates/backup-job-scc.yaml b/chart/stash/templates/backup-job-scc.yaml deleted file mode 100644 index 5d948609e..000000000 --- a/chart/stash/templates/backup-job-scc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.platform.openshift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-backup-job - labels: - {{- include "stash.labels" . | nindent 4 }} -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: null -volumes: -- '*' -{{ end }} diff --git a/chart/stash/templates/backupsession-cron-psp.yaml b/chart/stash/templates/backupsession-cron-psp.yaml deleted file mode 100644 index 2948a3fc7..000000000 --- a/chart/stash/templates/backupsession-cron-psp.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-backupsession-cron - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - privileged: false - allowPrivilegeEscalation: false - hostNetwork: false - hostIPC: false - hostPID: false - volumes: - - secret # kubernetes mount service account token secret into the pod. so we need to give permission to mount secret volume - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/chart/stash/templates/backupsession-cron-scc.yaml b/chart/stash/templates/backupsession-cron-scc.yaml deleted file mode 100644 index f0f4c3706..000000000 --- a/chart/stash/templates/backupsession-cron-scc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.platform.openshift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-backupsession-cron - labels: - {{- include "stash.labels" . | nindent 4 }} -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: null -volumes: -- secret -{{ end }} diff --git a/chart/stash/templates/cleaner.yaml b/chart/stash/templates/cleaner.yaml deleted file mode 100644 index a5ad6a0a5..000000000 --- a/chart/stash/templates/cleaner.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "stash.fullname" . }}-cleaner - labels: - {{- include "stash.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-delete-policy": hook-succeeded,hook-failed -spec: - backoffLimit: 3 - activeDeadlineSeconds: 120 - template: - spec: - serviceAccountName: {{ template "stash.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 6 }} - {{- end }} - containers: - - name: busybox - image: {{ .Values.cleaner.registry }}/{{ .Values.cleaner.repository }}:{{ .Values.cleaner.tag }} - command: - - sh - - -c - - "sleep 2; kubectl delete validatingwebhookconfigurations admission.stash.appscode.com || true; kubectl delete mutatingwebhookconfiguration admission.stash.appscode.com || true" - imagePullPolicy: {{ .Values.imagePullPolicy }} - restartPolicy: Never diff --git a/chart/stash/templates/cluster-role-binding.yaml b/chart/stash/templates/cluster-role-binding.yaml deleted file mode 100644 index c87a63ab3..000000000 --- a/chart/stash/templates/cluster-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "stash.fullname" . }} - labels: - {{- include "stash.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "stash.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "stash.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} diff --git a/chart/stash/templates/cluster-role.yaml b/chart/stash/templates/cluster-role.yaml deleted file mode 100644 index bea1531ae..000000000 --- a/chart/stash/templates/cluster-role.yaml +++ /dev/null @@ -1,122 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "stash.fullname" . }} - labels: - {{- include "stash.labels" . | nindent 4 }} -rules: -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: ["*"] -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: ["get", "patch"] -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: ["delete", "get", "list", "watch", "patch"] -- apiGroups: - - stash.appscode.com - resources: - - "*" - verbs: ["*"] -- apiGroups: - - appcatalog.appscode.com - resources: - - "*" - verbs: ["*"] -- apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: ["get", "list", "watch", "patch"] -- apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: ["get", "list", "watch", "create", "delete", "patch"] -- apiGroups: - - "" - resources: - - namespaces - - replicationcontrollers - verbs: ["get", "list", "watch", "patch"] -- apiGroups: - - "" - resources: - - configmaps - verbs: ["create", "update", "get", "delete"] -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: ["get","list","watch"] -- apiGroups: - - "" - resources: - - secrets - - services - verbs: ["get"] -- apiGroups: - - "" - resources: - - events - verbs: ["create"] -- apiGroups: - - "" - resources: - - nodes - verbs: ["list"] -- apiGroups: - - "" - resources: - - pods - - pods/exec - verbs: ["get", "create", "list", "delete", "deletecollection"] -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: ["get", "create", "patch", "delete"] -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - roles - - rolebindings - verbs: ["get", "create", "delete", "patch"] -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: ["get", "list", "watch", "patch"] -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: ["use"] - resourceNames: - - {{ template "stash.fullname" . }} - - stash-backupsession-cron - - stash-backup-job - - stash-restore-job - {{- range $x := .Values.additionalPodSecurityPolicies }} - - {{ $x }} - {{- end }} -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - - volumesnapshotcontents - - volumesnapshotclasses - verbs: ["create", "get", "list", "watch", "patch"] diff --git a/chart/stash/templates/deployment.yaml b/chart/stash/templates/deployment.yaml deleted file mode 100644 index 95daec463..000000000 --- a/chart/stash/templates/deployment.yaml +++ /dev/null @@ -1,134 +0,0 @@ -# GKE returns Major:"1", Minor:"10+" -{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} -{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "stash.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "stash.labels" . | nindent 4 }} -{{- if .Values.annotations }} - annotations: -{{ toYaml .Values.annotations | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: "{{ template "stash.name" . }}" - release: "{{ .Release.Name }}" - template: - metadata: - labels: - {{- include "stash.labels" . | nindent 8 }} -{{- if or .Values.annotations (and .Values.criticalAddon (eq .Release.Namespace "kube-system")) }} - annotations: -{{- if and .Values.criticalAddon (eq .Release.Namespace "kube-system") }} - scheduler.alpha.kubernetes.io/critical-pod: '' -{{- end }} -{{- if .Values.annotations }} -{{ toYaml .Values.annotations | indent 8 }} -{{- end }} -{{- end }} - spec: - serviceAccountName: {{ template "stash.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: -{{ toYaml .Values.imagePullSecrets | indent 6 }} - {{- end }} - containers: - - name: operator - image: {{ .Values.operator.registry }}/{{ .Values.operator.repository }}:{{ .Values.operator.tag }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - run - - --v={{ .Values.logLevel }} - - --docker-registry={{ .Values.operator.registry }} - - --secure-port=8443 - - --audit-log-path=- - - --tls-cert-file=/var/serving-cert/tls.crt - - --tls-private-key-file=/var/serving-cert/tls.key - - --service-name={{ template "stash.fullname" . }} - - --enable-mutating-webhook={{ .Values.apiserver.enableMutatingWebhook }} - - --enable-validating-webhook={{ .Values.apiserver.enableValidatingWebhook }} - - --bypass-validating-webhook-xray={{ .Values.apiserver.bypassValidatingWebhookXray }} -{{- if and (not .Values.apiserver.disableStatusSubresource) (ge $major 1) (ge $minor 11) }} - - --enable-status-subresource=true -{{- end }} - - --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }} - - --enable-analytics={{ .Values.enableAnalytics }} - ports: - - containerPort: 8443 - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{{- if .Values.apiserver.healthcheck.enabled }} - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 5 - livenessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 5 -{{- end }} - resources: - requests: - cpu: "100m" - volumeMounts: - - mountPath: /var/serving-cert - name: serving-cert - - name: pushgateway - image: '{{ .Values.pushgateway.registry }}/{{ .Values.pushgateway.repository }}:{{ .Values.pushgateway.tag }}' - imagePullPolicy: {{ .Values.imagePullPolicy }} - args: - - --web.listen-address=:56789 - - --persistence.file=/var/pv/pushgateway.dat - ports: - - containerPort: 56789 - volumeMounts: - - mountPath: /var/pv - name: data-volume - - mountPath: /tmp - name: stash-scratchdir - volumes: - - emptyDir: {} - name: data-volume - - emptyDir: {} - name: stash-scratchdir - - name: serving-cert - secret: - defaultMode: 420 - secretName: {{ template "stash.fullname" . }}-apiserver-cert -{{- if or .Values.tolerations (and .Values.criticalAddon (eq .Release.Namespace "kube-system")) }} - tolerations: -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end -}} -{{- if and .Values.criticalAddon (eq .Release.Namespace "kube-system") }} - - key: CriticalAddonsOnly - operator: Exists -{{- end -}} -{{- end -}} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end -}} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end -}} -{{- if and .Values.criticalAddon (eq .Release.Namespace "kube-system") }} - priorityClassName: system-cluster-critical -{{- end -}} diff --git a/chart/stash/templates/mutating-webhook.yaml b/chart/stash/templates/mutating-webhook.yaml deleted file mode 100644 index b4d9bc6f4..000000000 --- a/chart/stash/templates/mutating-webhook.yaml +++ /dev/null @@ -1,143 +0,0 @@ -# GKE returns Major:"1", Minor:"10+" -{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} -{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} -{{- if .Values.apiserver.enableMutatingWebhook }} -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: admission.stash.appscode.com - labels: - {{- include "stash.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -webhooks: -- name: deployment.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/deploymentmutators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps - - extensions - apiVersions: - - "*" - resources: - - deployments - failurePolicy: Ignore -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: daemonset.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/daemonsetmutators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps - - extensions - apiVersions: - - "*" - resources: - - daemonsets - failurePolicy: Ignore -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: statefulset.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/statefulsetmutators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - apiGroups: - - apps - apiVersions: - - "*" - resources: - - statefulsets - failurePolicy: Ignore -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: replicationcontroller.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/replicationcontrollermutators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - "" - apiVersions: - - "*" - resources: - - replicationcontrollers - failurePolicy: Ignore -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: replicaset.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/replicasetmutators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps - - extensions - apiVersions: - - "*" - resources: - - replicasets - failurePolicy: Ignore -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: deploymentconfig.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/deploymentconfigmutators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps.openshift.io - apiVersions: - - "*" - resources: - - deploymentconfigs - failurePolicy: Ignore -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -{{ end }} diff --git a/chart/stash/templates/operator-psp.yaml b/chart/stash/templates/operator-psp.yaml deleted file mode 100644 index ff6ae6093..000000000 --- a/chart/stash/templates/operator-psp.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "stash.fullname" . }} - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - "*" # operator need to access all types of volume - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/chart/stash/templates/operator-scc.yaml b/chart/stash/templates/operator-scc.yaml deleted file mode 100644 index bacda873a..000000000 --- a/chart/stash/templates/operator-scc.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.platform.openshift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-operator-psp - labels: - {{- include "stash.labels" . | nindent 4 }} -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- system:serviceaccount:{{ .Release.Namespace }}:{{ template "stash.serviceAccountName" . }} -volumes: -- '*' -{{ end }} diff --git a/chart/stash/templates/restore-job-psp.yaml b/chart/stash/templates/restore-job-psp.yaml deleted file mode 100644 index 9262fe16a..000000000 --- a/chart/stash/templates/restore-job-psp.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-restore-job - labels: - {{- include "stash.labels" . | nindent 4 }} -spec: - allowPrivilegeEscalation: false - volumes: - - "*" # restore job need to access all types of volume as user may restore to any types of volume - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/chart/stash/templates/restore-job-scc.yaml b/chart/stash/templates/restore-job-scc.yaml deleted file mode 100644 index ac05113b1..000000000 --- a/chart/stash/templates/restore-job-scc.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.platform.openshift }} -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-restore-job - labels: - {{- include "stash.labels" . | nindent 4 }} -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: null -volumes: -- '*' -{{ end }} diff --git a/chart/stash/templates/service-account.yaml b/chart/stash/templates/service-account.yaml deleted file mode 100644 index 454130d42..000000000 --- a/chart/stash/templates/service-account.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{ if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "stash.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "stash.labels" . | nindent 4 }} -{{ end }} diff --git a/chart/stash/templates/service.yaml b/chart/stash/templates/service.yaml deleted file mode 100644 index e6536afef..000000000 --- a/chart/stash/templates/service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "stash.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "stash.labels" . | nindent 4 }} - {{- if eq .Values.monitoring.agent "prometheus.io/builtin" }} - annotations: - prometheus.io/scrape: "true" - {{- if .Values.monitoring.backup }} - prometheus.io/pushgateway_path: "/metrics" - prometheus.io/pushgateway_port: "56789" - prometheus.io/pushgateway_scheme: "http" - {{- end }} - {{- if .Values.monitoring.operator }} - prometheus.io/operator_path: "/metrics" - prometheus.io/operator_port: "8443" - prometheus.io/operator_scheme: "https" - {{- end }} - {{- end }} -spec: - ports: - # Port used to expose admission webhook apiserver - - name: api - port: 443 - targetPort: 8443 - # Port used to expose Prometheus pushgateway - - name: pushgateway - port: 56789 - protocol: TCP - targetPort: 56789 - selector: - app: "{{ template "stash.name" . }}" - release: "{{ .Release.Name }}" diff --git a/chart/stash/templates/servicemonitor.yaml b/chart/stash/templates/servicemonitor.yaml deleted file mode 100644 index b6e2c334e..000000000 --- a/chart/stash/templates/servicemonitor.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if and (eq .Values.monitoring.agent "prometheus.io/coreos-operator") (or .Values.monitoring.backup .Values.monitoring.operator) }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "stash.fullname" . }} - namespace: {{ default .Release.Namespace .Values.monitoring.prometheus.namespace }} - labels: - {{- if .Values.monitoring.serviceMonitor.labels }} - {{- range $key, $val := .Values.monitoring.serviceMonitor.labels }} - {{ $key }}: {{ $val }} - {{- end }} - {{- else }} - app: "{{ template "stash.name" . }}" - release: "{{ .Release.Name }}" - {{- end }} -spec: - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - app: "{{ template "stash.name" . }}" - release: "{{ .Release.Name }}" - endpoints: - {{- if .Values.monitoring.backup }} - - port: pushgateway - honorLabels: true - {{- end }} - {{- if .Values.monitoring.operator }} - - port: api - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - scheme: https - tlsConfig: - caFile: /etc/prometheus/secrets/{{ template "stash.fullname" . }}-apiserver-cert/tls.crt - serverName: "{{ template "stash.fullname" . }}.{{ .Release.Namespace }}.svc" - {{- end }} -{{- end }} diff --git a/chart/stash/templates/user-roles.yaml b/chart/stash/templates/user-roles.yaml deleted file mode 100644 index 35f0e1a65..000000000 --- a/chart/stash/templates/user-roles.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: appscode:stash:edit - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -rules: -- apiGroups: - - stash.appscode.com - resources: - - restics - - recoveries - - repositories - verbs: ["*"] -- apiGroups: - - repositories.stash.appscode.com - resources: - - snapshots - verbs: ["delete", "deletecollection", "get", "list"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: appscode:stash:view - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -rules: -- apiGroups: - - stash.appscode.com - resources: - - restics - - recoveries - - repositories - verbs: ["get", "list", "watch"] -- apiGroups: - - repositories.stash.appscode.com - resources: - - snapshots - verbs: ["get", "list"] diff --git a/chart/stash/templates/validating-webhook.yaml b/chart/stash/templates/validating-webhook.yaml deleted file mode 100644 index 9b2dd0d74..000000000 --- a/chart/stash/templates/validating-webhook.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# GKE returns Major:"1", Minor:"10+" -{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }} -{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }} -{{- if .Values.apiserver.enableValidatingWebhook }} -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: admission.stash.appscode.com - labels: - {{- include "stash.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-delete-policy": before-hook-creation -webhooks: -- name: restic.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/resticvalidators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - restics - failurePolicy: Fail -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: recovery.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/recoveryvalidators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - recoveries - failurePolicy: Fail -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: repository.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/repositoryvalidators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - repositories - failurePolicy: Fail -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -- name: restoresession.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1beta1/restoresessionvalidators - caBundle: {{ b64enc .Values.apiserver.ca }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - restoresessions - failurePolicy: Fail -{{- if and (ge $major 1) (ge $minor 12) }} - sideEffects: None -{{- end }} -{{ end }} diff --git a/chart/stash/values.yaml b/chart/stash/values.yaml deleted file mode 100644 index ef7893cc2..000000000 --- a/chart/stash/values.yaml +++ /dev/null @@ -1,113 +0,0 @@ -# Default values for stash. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -replicaCount: 1 -# Docker registry containing Stash images -operator: - registry: appscode - repository: stash - tag: 0.8.3 -pushgateway: - registry: prom - repository: pushgateway - tag: v0.5.2 -cleaner: - registry: appscode - repository: kubectl - tag: v1.12 -## Optionally specify an array of imagePullSecrets. -## Secrets must be manually created in the namespace. -## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod -## -# imagePullSecrets: -# - name: myRegistryKeySecretName -## Specify a imagePullPolicy -## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images -## -imagePullPolicy: IfNotPresent -## Installs Stash operator as critical addon -## https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/ -criticalAddon: false - -## Log level for operator -logLevel: 3 - -## Annotations passed to operator pod(s). -## -annotations: {} - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: - beta.kubernetes.io/os: linux - beta.kubernetes.io/arch: amd64 - -## Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: {} - -## Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## -affinity: {} - -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template - name: - -apiserver: - # groupPriorityMinimum is the minimum priority the group should have. Please see - # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64 - # for more information on proper values of this field. - groupPriorityMinimum: 10000 - # versionPriority is the ordering of this API inside of the group. Please see - # https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70 - # for more information on proper values of this field - versionPriority: 15 - # enableMutatingWebhook is used to configure mutating webhook for Kubernetes workloads - enableMutatingWebhook: true - # enableValidatingWebhook is used to configure validating webhook for Stash CRDss - enableValidatingWebhook: true - # CA certificate used by main Kubernetes api server - ca: not-ca-cert - # If true, disables status sub resource for crds. - # Otherwise, enables status sub resource for Kubernetes version >= 1.11 and disables for other versions. - disableStatusSubresource: false - # If true, bypasses validating webhook xray checks - bypassValidatingWebhookXray: false - # If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) - useKubeapiserverFqdnForAks: true - # healthcheck configures the readiness and liveliness probes for the operator pod. - healthcheck: - enabled: true - -# Send usage events to Google Analytics -enableAnalytics: true - -monitoring: - # specify monitoring agent (either "prometheus.io/builtin" or "prometheus.io/coreos-operator") - agent: "none" - # specify whether to monitor backup and recovery - backup: false - # specify whether to monitor stash operator - operator: false - # specify where ServiceMonitor crd will be created - prometheus: - namespace: "" - serviceMonitor: - labels: {} - -# Additional psp names passed to operator -# example: helm install appscode/stash \ -# --set additionalPodSecurityPolicies[0]=abc \ -# --set additionalPodSecurityPolicies[1]=xyz -additionalPodSecurityPolicies: [] - -# Name of platform (eg: Openshift, AKS, EKS, GKE, etc.) -platform: - openshift: false diff --git a/hack/deploy/apiservices.yaml b/hack/deploy/apiservices.yaml deleted file mode 100644 index 53dd8a175..000000000 --- a/hack/deploy/apiservices.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# register as aggregated apiserver -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1alpha1.admission.stash.appscode.com - labels: - app: stash -spec: - caBundle: ${SERVICE_SERVING_CERT_CA} - group: admission.stash.appscode.com - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: stash-operator - namespace: ${STASH_NAMESPACE} - version: v1alpha1 ---- -# register as aggregated apiserver -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1beta1.admission.stash.appscode.com - labels: - app: stash -spec: - caBundle: ${SERVICE_SERVING_CERT_CA} - group: admission.stash.appscode.com - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: stash-operator - namespace: ${STASH_NAMESPACE} - version: v1beta1 ---- -# register as aggregated apiserver -apiVersion: apiregistration.k8s.io/v1beta1 -kind: APIService -metadata: - name: v1alpha1.repositories.stash.appscode.com - labels: - app: stash -spec: - caBundle: ${SERVICE_SERVING_CERT_CA} - group: repositories.stash.appscode.com - groupPriorityMinimum: 1000 - versionPriority: 15 - service: - name: stash-operator - namespace: ${STASH_NAMESPACE} - version: v1alpha1 diff --git a/hack/deploy/monitor/apiserver-cert.yaml b/hack/deploy/monitor/apiserver-cert.yaml deleted file mode 100644 index 58055bbcd..000000000 --- a/hack/deploy/monitor/apiserver-cert.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# we have to mount this secret to prometheus pod. so, create this on prometheus namespace -apiVersion: v1 -kind: Secret -metadata: - name: stash-apiserver-cert - namespace: ${PROMETHEUS_NAMESPACE} - labels: - app: stash -type: kubernetes.io/tls -data: - tls.crt: ${TLS_SERVING_CERT} - tls.key: ${TLS_SERVING_KEY} \ No newline at end of file diff --git a/hack/deploy/monitor/servicemonitor-backup.yaml b/hack/deploy/monitor/servicemonitor-backup.yaml deleted file mode 100644 index 23ac106c1..000000000 --- a/hack/deploy/monitor/servicemonitor-backup.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: stash-servicemonitor - namespace: ${PROMETHEUS_NAMESPACE} - labels: - ${SERVICE_MONITOR_LABEL_KEY}: ${SERVICE_MONITOR_LABEL_VALUE} -spec: - namespaceSelector: - matchNames: - - ${STASH_NAMESPACE} - selector: - matchLabels: - app: stash - endpoints: - - port: pushgateway - honorLabels: true diff --git a/hack/deploy/monitor/servicemonitor-operator.yaml b/hack/deploy/monitor/servicemonitor-operator.yaml deleted file mode 100644 index 5d65e81b8..000000000 --- a/hack/deploy/monitor/servicemonitor-operator.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: stash-servicemonitor - namespace: ${PROMETHEUS_NAMESPACE} - labels: - ${SERVICE_MONITOR_LABEL_KEY}: ${SERVICE_MONITOR_LABEL_VALUE} -spec: - namespaceSelector: - matchNames: - - ${STASH_NAMESPACE} - selector: - matchLabels: - app: stash - endpoints: - - port: api - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - scheme: https - tlsConfig: - caFile: /etc/prometheus/secrets/stash-apiserver-cert/tls.crt - serverName: "stash-operator.${STASH_NAMESPACE}.svc" diff --git a/hack/deploy/monitor/servicemonitor.yaml b/hack/deploy/monitor/servicemonitor.yaml deleted file mode 100644 index 859ee31e0..000000000 --- a/hack/deploy/monitor/servicemonitor.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: stash-servicemonitor - namespace: ${PROMETHEUS_NAMESPACE} - labels: - ${SERVICE_MONITOR_LABEL_KEY}: ${SERVICE_MONITOR_LABEL_VALUE} -spec: - namespaceSelector: - matchNames: - - ${STASH_NAMESPACE} - selector: - matchLabels: - app: stash - endpoints: - - port: pushgateway - honorLabels: true - - port: api - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - scheme: https - tlsConfig: - caFile: /etc/prometheus/secrets/stash-apiserver-cert/tls.crt - serverName: "stash-operator.${STASH_NAMESPACE}.svc" diff --git a/hack/deploy/mutating-webhook.yaml b/hack/deploy/mutating-webhook.yaml deleted file mode 100644 index ce1c21d20..000000000 --- a/hack/deploy/mutating-webhook.yaml +++ /dev/null @@ -1,123 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: MutatingWebhookConfiguration -metadata: - name: admission.stash.appscode.com - labels: - app: stash -webhooks: -- name: deployment.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/deploymentmutators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps - - extensions - apiVersions: - - "*" - resources: - - deployments - failurePolicy: Ignore - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: daemonset.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/daemonsetmutators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps - - extensions - apiVersions: - - "*" - resources: - - daemonsets - failurePolicy: Ignore - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: statefulset.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/statefulsetmutators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - apiGroups: - - apps - apiVersions: - - "*" - resources: - - statefulsets - failurePolicy: Ignore - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: replicationcontroller.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/replicationcontrollermutators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - "" - apiVersions: - - "*" - resources: - - replicationcontrollers - failurePolicy: Ignore - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: replicaset.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/replicasetmutators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps - - extensions - apiVersions: - - "*" - resources: - - replicasets - failurePolicy: Ignore - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: deploymentconfig.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/deploymentconfigmutators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - apps.openshift.io - apiVersions: - - "*" - resources: - - deploymentconfigs - failurePolicy: Ignore - ${STASH_WEBHOOK_SIDE_EFFECTS} diff --git a/hack/deploy/operator.yaml b/hack/deploy/operator.yaml deleted file mode 100644 index 42c9c7c8d..000000000 --- a/hack/deploy/operator.yaml +++ /dev/null @@ -1,128 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: stash-operator - namespace: ${STASH_NAMESPACE} - labels: - app: stash -spec: - replicas: 1 - selector: - matchLabels: - app: stash - template: - metadata: - labels: - app: stash - annotations: - scheduler.alpha.kubernetes.io/critical-pod: '' - spec: - serviceAccountName: ${STASH_SERVICE_ACCOUNT} - imagePullSecrets: [${STASH_IMAGE_PULL_SECRET}] - containers: - - name: operator - image: ${STASH_DOCKER_REGISTRY}/stash:${STASH_IMAGE_TAG} - imagePullPolicy: ${STASH_IMAGE_PULL_POLICY} - args: - - run - - --v=3 - - --docker-registry=${STASH_DOCKER_REGISTRY} - - --secure-port=8443 - - --audit-log-path=- - - --tls-cert-file=/var/serving-cert/tls.crt - - --tls-private-key-file=/var/serving-cert/tls.key - - --service-name=${STASH_SERVICE_NAME} - - --enable-mutating-webhook=${STASH_ENABLE_MUTATING_WEBHOOK} - - --enable-validating-webhook=${STASH_ENABLE_VALIDATING_WEBHOOK} - - --bypass-validating-webhook-xray=${STASH_BYPASS_VALIDATING_WEBHOOK_XRAY} - - --enable-status-subresource=${STASH_ENABLE_STATUS_SUBRESOURCE} - - --use-kubeapiserver-fqdn-for-aks=${STASH_USE_KUBEAPISERVER_FQDN_FOR_AKS} - - --enable-analytics=${STASH_ENABLE_ANALYTICS} - ports: - - containerPort: 8443 - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - requests: - cpu: "100m" - volumeMounts: - - mountPath: /var/serving-cert - name: serving-cert - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 5 - livenessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - initialDelaySeconds: 5 - - name: pushgateway - args: - - --web.listen-address=:56789 - - --persistence.file=/var/pv/pushgateway.dat - image: ${PUSHGATEWAY_DOCKER_REGISTRY}/pushgateway:v0.5.2 - ports: - - containerPort: 56789 - name: pushgateway - protocol: TCP - volumeMounts: - - mountPath: /var/pv - name: data-volume - - mountPath: /tmp - name: stash-scratchdir - volumes: - - emptyDir: {} - name: data-volume - - emptyDir: {} - name: stash-scratchdir - - name: serving-cert - secret: - defaultMode: 420 - secretName: stash-apiserver-cert - tolerations: - - key: CriticalAddonsOnly - operator: Exists - priorityClassName: ${STASH_PRIORITY_CLASS} ---- -# kube lacks the service serving cert signer, so provide a manual secret for it -apiVersion: v1 -kind: Secret -metadata: - name: stash-apiserver-cert - namespace: ${STASH_NAMESPACE} - labels: - app: stash -type: kubernetes.io/tls -data: - tls.crt: ${TLS_SERVING_CERT} - tls.key: ${TLS_SERVING_KEY} ---- -# to be able to expose TSB inside the cluster -apiVersion: v1 -kind: Service -metadata: - name: ${STASH_SERVICE_NAME} - namespace: ${STASH_NAMESPACE} - labels: - app: stash -spec: - ports: - - name: api - port: 443 - targetPort: 8443 - - name: pushgateway - port: 56789 - targetPort: 56789 - selector: - app: stash diff --git a/hack/deploy/psp/backup-job.yaml b/hack/deploy/psp/backup-job.yaml deleted file mode 100644 index 9c42a9254..000000000 --- a/hack/deploy/psp/backup-job.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-backup-job - labels: - app: stash -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - "*" # backup job require to access all types of volume as user may use any types of volume - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/hack/deploy/psp/backupsession-cron.yaml b/hack/deploy/psp/backupsession-cron.yaml deleted file mode 100644 index 6aafc6bee..000000000 --- a/hack/deploy/psp/backupsession-cron.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-backupsession-cron - labels: - app: stash -spec: - privileged: false - allowPrivilegeEscalation: false - hostNetwork: false - hostIPC: false - hostPID: false - volumes: - - secret # kubernetes mount service account token secret into the pod. so we need to give permission to mount secret volume - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/hack/deploy/psp/operator.yaml b/hack/deploy/psp/operator.yaml deleted file mode 100644 index b85cc78f7..000000000 --- a/hack/deploy/psp/operator.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-operator-psp - labels: - app: stash -spec: - privileged: false - allowPrivilegeEscalation: false - volumes: - - "*" # operator require to access all types of volume - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/hack/deploy/psp/restore-job.yaml b/hack/deploy/psp/restore-job.yaml deleted file mode 100644 index 5338c1984..000000000 --- a/hack/deploy/psp/restore-job.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: stash-restore-job - labels: - app: stash -spec: - allowPrivilegeEscalation: false - volumes: - - "*" # restore job require to access all types of volume as user may use any volume - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - fsGroup: - rule: RunAsAny diff --git a/hack/deploy/rbac-list.yaml b/hack/deploy/rbac-list.yaml deleted file mode 100644 index e0706a552..000000000 --- a/hack/deploy/rbac-list.yaml +++ /dev/null @@ -1,173 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: stash-operator - labels: - app: stash -rules: -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: ["*"] -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: ["get", "patch"] -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: ["delete", "get", "list", "watch", "patch"] -- apiGroups: - - stash.appscode.com - resources: - - "*" - verbs: ["*"] -- apiGroups: - - appcatalog.appscode.com - resources: - - "*" - verbs: ["*"] -- apiGroups: - - apps - resources: - - daemonsets - - deployments - - replicasets - - statefulsets - verbs: ["get", "list", "watch", "patch"] -- apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: ["get", "list", "watch", "create", "delete", "patch"] -- apiGroups: - - "" - resources: - - namespaces - - replicationcontrollers - verbs: ["get", "list", "watch", "patch"] -- apiGroups: - - "" - resources: - - configmaps - verbs: ["create", "update", "get", "delete"] -- apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: ["get","list","watch", "create", "patch"] -- apiGroups: - - "" - resources: - - secrets - - services - verbs: ["get"] -- apiGroups: - - "" - resources: - - events - verbs: ["create"] -- apiGroups: - - "" - resources: - - nodes - verbs: ["list"] -- apiGroups: - - "" - resources: - - pods - - pods/exec - verbs: ["get", "create", "list", "delete", "deletecollection"] -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: ["get", "create", "patch", "delete"] -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - - roles - - rolebindings - - clusterrolebindings - verbs: ["get", "create", "delete", "patch"] -- apiGroups: - - apps.openshift.io - resources: - - deploymentconfigs - verbs: ["get", "list", "watch", "patch"] -- apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: ["use"] - resourceNames: - - stash-operator-psp - - stash-backupsession-cron - - stash-backup-job - - stash-restore-job -- apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - - volumesnapshotcontents - - volumesnapshotclasses - verbs: ["create", "get", "list", "watch", "patch"] -- apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: ["get"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: stash-operator - labels: - app: stash -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: stash-operator -subjects: -- kind: ServiceAccount - name: ${STASH_SERVICE_ACCOUNT} - namespace: ${STASH_NAMESPACE} ---- -# to read the config for terminating authentication -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: stash-apiserver-extension-server-authentication-reader - namespace: kube-system - labels: - app: stash -roleRef: - kind: Role - apiGroup: rbac.authorization.k8s.io - name: extension-apiserver-authentication-reader -subjects: -- kind: ServiceAccount - name: ${STASH_SERVICE_ACCOUNT} - namespace: ${STASH_NAMESPACE} ---- -# to delegate authentication and authorization -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: stash-apiserver-auth-delegator - labels: - app: stash -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: system:auth-delegator -subjects: -- kind: ServiceAccount - name: ${STASH_SERVICE_ACCOUNT} - namespace: ${STASH_NAMESPACE} diff --git a/hack/deploy/run-on-master.yaml b/hack/deploy/run-on-master.yaml deleted file mode 100644 index 181044e0d..000000000 --- a/hack/deploy/run-on-master.yaml +++ /dev/null @@ -1,12 +0,0 @@ -# kubectl patch deploy stash-operator -n kube-system --patch "$(cat run-on-master.yaml)" -spec: - template: - spec: - nodeSelector: - node-role.kubernetes.io/master: "" - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - operator: Exists diff --git a/hack/deploy/scc/backup-job.yaml b/hack/deploy/scc/backup-job.yaml deleted file mode 100644 index f944dbe96..000000000 --- a/hack/deploy/scc/backup-job.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-backup-job - labels: - app: stash -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: null -volumes: -- '*' diff --git a/hack/deploy/scc/backupsession-cron.yaml b/hack/deploy/scc/backupsession-cron.yaml deleted file mode 100644 index bf1bad13d..000000000 --- a/hack/deploy/scc/backupsession-cron.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-backupsession-cron - labels: - app: stash -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: null -volumes: -- secret diff --git a/hack/deploy/scc/operator.yaml b/hack/deploy/scc/operator.yaml deleted file mode 100644 index c8f206099..000000000 --- a/hack/deploy/scc/operator.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-operator-psp - labels: - app: stash -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: -- system:serviceaccount:${STASH_NAMESPACE}:${STASH_SERVICE_ACCOUNT} -volumes: -- '*' diff --git a/hack/deploy/scc/restore-job.yaml b/hack/deploy/scc/restore-job.yaml deleted file mode 100644 index ede859de9..000000000 --- a/hack/deploy/scc/restore-job.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: security.openshift.io/v1 -kind: SecurityContextConstraints -metadata: - name: stash-restore-job - labels: - app: stash -allowHostDirVolumePlugin: false -allowHostIPC: false -allowHostNetwork: false -allowHostPID: false -allowHostPorts: false -allowPrivilegeEscalation: false -allowPrivilegedContainer: false -allowedCapabilities: null -defaultAddCapabilities: null -fsGroup: - type: RunAsAny -groups: null -priority: null -readOnlyRootFilesystem: false -requiredDropCapabilities: null -runAsUser: - type: RunAsAny -seLinuxContext: - type: RunAsAny -supplementalGroups: - type: RunAsAny -users: null -volumes: -- '*' diff --git a/hack/deploy/service-account.yaml b/hack/deploy/service-account.yaml deleted file mode 100644 index fa0b5176a..000000000 --- a/hack/deploy/service-account.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ${STASH_SERVICE_ACCOUNT} - namespace: ${STASH_NAMESPACE} - labels: - app: stash diff --git a/hack/deploy/stash.sh b/hack/deploy/stash.sh deleted file mode 100755 index 4e1441ad0..000000000 --- a/hack/deploy/stash.sh +++ /dev/null @@ -1,550 +0,0 @@ -#!/bin/bash -set -eou pipefail - -crds=(restics repositories recoveries backupconfigurations backupsessions backupconfigurationtemplates functions restoresessions tasks) - -echo "checking kubeconfig context" -kubectl config current-context || { - echo "Set a context (kubectl use-context ) out of the following:" - echo - kubectl config get-contexts - exit 1 -} -echo "" - -# http://redsymbol.net/articles/bash-exit-traps/ -function cleanup() { - rm -rf $ONESSL ca.crt ca.key server.crt server.key -} - -export APPSCODE_ENV=${APPSCODE_ENV:-prod} -trap cleanup EXIT - -# ref: https://github.com/appscodelabs/libbuild/blob/master/common/lib.sh#L55 -inside_git_repo() { - git rev-parse --is-inside-work-tree >/dev/null 2>&1 - inside_git=$? - if [ "$inside_git" -ne 0 ]; then - echo "Not inside a git repository" - exit 1 - fi -} - -detect_tag() { - inside_git_repo - - # http://stackoverflow.com/a/1404862/3476121 - git_tag=$(git describe --exact-match --abbrev=0 2>/dev/null || echo '') - - commit_hash=$(git rev-parse --verify HEAD) - git_branch=$(git rev-parse --abbrev-ref HEAD) - commit_timestamp=$(git show -s --format=%ct) - - if [ "$git_tag" != '' ]; then - TAG=$git_tag - TAG_STRATEGY='git_tag' - elif [ "$git_branch" != 'master' ] && [ "$git_branch" != 'HEAD' ] && [[ "$git_branch" != release-* ]]; then - TAG=$git_branch - TAG_STRATEGY='git_branch' - else - hash_ver=$(git describe --tags --always --dirty) - TAG="${hash_ver}" - TAG_STRATEGY='commit_hash' - fi - - export TAG - export TAG_STRATEGY - export git_tag - export git_branch - export commit_hash - export commit_timestamp -} - -onessl_found() { - # https://stackoverflow.com/a/677212/244009 - if [ -x "$(command -v onessl)" ]; then - onessl wait-until-has -h >/dev/null 2>&1 || { - # old version of onessl found - echo "Found outdated onessl" - return 1 - } - export ONESSL=onessl - return 0 - fi - return 1 -} - -onessl_found || { - echo "Downloading onessl ..." - if [[ "$(uname -m)" == "aarch64" ]]; then - curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.10.0/onessl-linux-arm64 - chmod +x onessl - export ONESSL=./onessl - else - # ref: https://stackoverflow.com/a/27776822/244009 - case "$(uname -s)" in - Darwin) - curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.10.0/onessl-darwin-amd64 - chmod +x onessl - export ONESSL=./onessl - ;; - - Linux) - curl -fsSL -o onessl https://github.com/kubepack/onessl/releases/download/0.10.0/onessl-linux-amd64 - chmod +x onessl - export ONESSL=./onessl - ;; - - CYGWIN* | MINGW* | MSYS*) - curl -fsSL -o onessl.exe https://github.com/kubepack/onessl/releases/download/0.10.0/onessl-windows-amd64.exe - chmod +x onessl.exe - export ONESSL=./onessl.exe - ;; - *) - echo 'other OS' - ;; - esac - fi -} - -# ref: https://stackoverflow.com/a/7069755/244009 -# ref: https://jonalmeida.com/posts/2013/05/26/different-ways-to-implement-flags-in-bash/ -# ref: http://tldp.org/LDP/abs/html/comparison-ops.html - -export STASH_NAMESPACE=kube-system -export STASH_SERVICE_ACCOUNT=stash-operator -export STASH_SERVICE_NAME=stash-operator -export STASH_RUN_ON_MASTER=0 -export STASH_ENABLE_VALIDATING_WEBHOOK=false -export STASH_ENABLE_MUTATING_WEBHOOK=false -export STASH_DOCKER_REGISTRY=appscode -export PUSHGATEWAY_DOCKER_REGISTRY=prom -export STASH_IMAGE_TAG=0.8.3 -export STASH_IMAGE_PULL_SECRET= -export STASH_IMAGE_PULL_POLICY=IfNotPresent -export STASH_ENABLE_STATUS_SUBRESOURCE=false -export STASH_ENABLE_ANALYTICS=true -export STASH_UNINSTALL=0 -export STASH_PURGE=0 -export STASH_BYPASS_VALIDATING_WEBHOOK_XRAY=false -export STASH_USE_KUBEAPISERVER_FQDN_FOR_AKS=true -export STASH_PRIORITY_CLASS=system-cluster-critical - -export SCRIPT_LOCATION="curl -fsSL https://raw.githubusercontent.com/stashed/stash/0.8.3/" -if [[ "$APPSCODE_ENV" == "dev" ]]; then - detect_tag - export SCRIPT_LOCATION="cat " - export STASH_IMAGE_TAG=$TAG - export STASH_IMAGE_PULL_POLICY=Always -fi - -KUBE_APISERVER_VERSION=$(kubectl version -o=json | $ONESSL jsonpath '{.serverVersion.gitVersion}') -$ONESSL semver --check='<1.9.0' $KUBE_APISERVER_VERSION || { - export STASH_ENABLE_VALIDATING_WEBHOOK=true - export STASH_ENABLE_MUTATING_WEBHOOK=true -} -$ONESSL semver --check='<1.11.0' $KUBE_APISERVER_VERSION || { export STASH_ENABLE_STATUS_SUBRESOURCE=true; } - -export STASH_WEBHOOK_SIDE_EFFECTS= -$ONESSL semver --check='<1.12.0' $KUBE_APISERVER_VERSION || { export STASH_WEBHOOK_SIDE_EFFECTS='sideEffects: None'; } - -MONITORING_AGENT_NONE="none" -MONITORING_AGENT_BUILTIN="prometheus.io/builtin" -MONITORING_AGENT_COREOS_OPERATOR="prometheus.io/coreos-operator" - -export MONITORING_AGENT=${MONITORING_AGENT:-$MONITORING_AGENT_NONE} -export MONITORING_BACKUP=${MONITORING_BACKUP:-false} -export MONITORING_OPERATOR=${MONITORING_OPERATOR:-false} -export SERVICE_MONITOR_LABEL_KEY="app" -export SERVICE_MONITOR_LABEL_VALUE="stash" - -show_help() { - echo "stash.sh - install stash operator" - echo " " - echo "stash.sh [options]" - echo " " - echo "options:" - echo "-h, --help show brief help" - echo "-n, --namespace=NAMESPACE specify namespace (default: kube-system)" - echo " --docker-registry docker registry used to pull stash images (default: appscode)" - echo " --pushgateway-registry docker registry used to pull Prometheus pushgateway image (default: prom)" - echo " --image-pull-secret name of secret used to pull stash operator images" - echo " --run-on-master run stash operator on master" - echo " --enable-mutating-webhook enable/disable mutating webhooks for Kubernetes workloads" - echo " --enable-validating-webhook enable/disable validating webhooks for Stash crds" - echo " --bypass-validating-webhook-xray if true, bypasses validating webhook xray checks" - echo " --enable-status-subresource if enabled, uses status sub resource for crds" - echo " --use-kubeapiserver-fqdn-for-aks if true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)" - echo " --enable-analytics send usage events to Google Analytics (default: true)" - echo " --uninstall uninstall stash" - echo " --purge purges stash crd objects and crds" - echo " --monitoring-agent specify which monitoring agent to use (default: none)" - echo " --monitoring-backup specify whether to monitor stash backup and restore activity (default: false)" - echo " --monitoring-operator specify whether to monitor stash operator (default: false)" - echo " --prometheus-namespace specify the namespace where Prometheus server is running or will be deployed (default: same namespace as stash-operator)" - echo " --servicemonitor-label specify the label for ServiceMonitor crd. Prometheus crd will use this label to select the ServiceMonitor. (default: 'app: stash')" -} - -while test $# -gt 0; do - case "$1" in - -h | --help) - show_help - exit 0 - ;; - -n) - shift - if test $# -gt 0; then - export STASH_NAMESPACE=$1 - else - echo "no namespace specified" - exit 1 - fi - shift - ;; - --namespace*) - export STASH_NAMESPACE=$(echo $1 | sed -e 's/^[^=]*=//g') - shift - ;; - --docker-registry*) - export STASH_DOCKER_REGISTRY=$(echo $1 | sed -e 's/^[^=]*=//g') - shift - ;; - --pushgateway-registry*) - export PUSHGATEWAY_DOCKER_REGISTRY=$(echo $1 | sed -e 's/^[^=]*=//g') - shift - ;; - --image-pull-secret*) - secret=$(echo $1 | sed -e 's/^[^=]*=//g') - export STASH_IMAGE_PULL_SECRET="name: '$secret'" - shift - ;; - --enable-mutating-webhook*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "false" ]; then - export STASH_ENABLE_MUTATING_WEBHOOK=false - fi - shift - ;; - --enable-validating-webhook*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "false" ]; then - export STASH_ENABLE_VALIDATING_WEBHOOK=false - fi - shift - ;; - --bypass-validating-webhook-xray*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "false" ]; then - export STASH_BYPASS_VALIDATING_WEBHOOK_XRAY=false - else - export STASH_BYPASS_VALIDATING_WEBHOOK_XRAY=true - fi - shift - ;; - --enable-status-subresource*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "false" ]; then - export STASH_ENABLE_STATUS_SUBRESOURCE=false - fi - shift - ;; - --use-kubeapiserver-fqdn-for-aks*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "false" ]; then - export STASH_USE_KUBEAPISERVER_FQDN_FOR_AKS=false - else - export STASH_USE_KUBEAPISERVER_FQDN_FOR_AKS=true - fi - shift - ;; - --enable-analytics*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "false" ]; then - export STASH_ENABLE_ANALYTICS=false - fi - shift - ;; - --run-on-master) - export STASH_RUN_ON_MASTER=1 - shift - ;; - --uninstall) - export STASH_UNINSTALL=1 - shift - ;; - --purge) - export STASH_PURGE=1 - shift - ;; - --monitoring-agent*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" != "$MONITORING_AGENT_BUILTIN" ] && [ "$val" != "$MONITORING_AGENT_COREOS_OPERATOR" ]; then - echo 'Invalid monitoring agent. Use "builtin" or "coreos-operator"' - exit 1 - else - export MONITORING_AGENT="$val" - fi - shift - ;; - --monitoring-backup*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "true" ]; then - export MONITORING_BACKUP=true - fi - shift - ;; - --monitoring-operator*) - val=$(echo $1 | sed -e 's/^[^=]*=//g') - if [ "$val" = "true" ]; then - export MONITORING_OPERATOR="$val" - fi - shift - ;; - --prometheus-namespace*) - export PROMETHEUS_NAMESPACE=$(echo $1 | sed -e 's/^[^=]*=//g') - shift - ;; - --servicemonitor-label*) - label=$(echo $1 | sed -e 's/^[^=]*=//g') - # split label into key value pair - IFS='=' - pair=($label) - unset IFS - # check if the label is valid - if [ ! ${#pair[@]} = 2 ]; then - echo "Invalid ServiceMonitor label format. Use '--servicemonitor-label=key=value'" - exit 1 - fi - export SERVICE_MONITOR_LABEL_KEY="${pair[0]}" - export SERVICE_MONITOR_LABEL_VALUE="${pair[1]}" - shift - ;; - *) - show_help - exit 1 - ;; - esac -done - -export PROMETHEUS_NAMESPACE=${PROMETHEUS_NAMESPACE:-$STASH_NAMESPACE} - -if [ "$STASH_NAMESPACE" != "kube-system" ]; then - export STASH_PRIORITY_CLASS="" -fi - -if [ "$STASH_UNINSTALL" -eq 1 ]; then - # delete webhooks and apiservices - kubectl delete validatingwebhookconfiguration -l app=stash || true - kubectl delete mutatingwebhookconfiguration -l app=stash || true - kubectl delete apiservice -l app=stash - # delete stash operator - kubectl delete deployment -l app=stash --namespace $STASH_NAMESPACE - kubectl delete service -l app=stash --namespace $STASH_NAMESPACE - kubectl delete secret -l app=stash --namespace $STASH_NAMESPACE - # delete RBAC objects, if --rbac flag was used. - kubectl delete serviceaccount -l app=stash --namespace $STASH_NAMESPACE - kubectl delete clusterrolebindings -l app=stash - kubectl delete clusterrole -l app=stash - kubectl delete rolebindings -l app=stash --namespace $STASH_NAMESPACE - kubectl delete role -l app=stash --namespace $STASH_NAMESPACE - # delete servicemonitor and stash-apiserver-cert secret. ignore error as they might not exist - kubectl delete servicemonitor stash-servicemonitor --namespace $PROMETHEUS_NAMESPACE || true - kubectl delete secret stash-apiserver-cert --namespace $PROMETHEUS_NAMESPACE || true - # delete psp resources - kubectl delete psp stash-operator-psp stash-backup-job stash-backupsession-cron stash-restore-job || true - - echo "waiting for stash operator pod to stop running" - for (( ; ; )); do - pods=($(kubectl get pods --namespace $STASH_NAMESPACE -l app=stash -o jsonpath='{range .items[*]}{.metadata.name} {end}')) - total=${#pods[*]} - if [ $total -eq 0 ]; then - break - fi - sleep 2 - done - - # https://github.com/kubernetes/kubernetes/issues/60538 - if [ "$STASH_PURGE" -eq 1 ]; then - for crd in "${crds[@]}"; do - pairs=($(kubectl get ${crd}.stash.appscode.com --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name} {.metadata.namespace} {end}' || true)) - total=${#pairs[*]} - - # save objects - if [ $total -gt 0 ]; then - echo "dumping ${crd} objects into ${crd}.yaml" - kubectl get ${crd}.stash.appscode.com --all-namespaces -o yaml >${crd}.yaml - fi - - for ((i = 0; i < $total; i += 2)); do - name=${pairs[$i]} - namespace=${pairs[$i + 1]} - - # remove finalizers - kubectl patch ${crd} $name -n $namespace -p '{"metadata":{"finalizers":[]}}' --type=merge || true - - # delete crd object - echo "deleting ${crd} $namespace/$name" - kubectl delete ${crd}.stash.appscode.com $name -n $namespace - done - - # delete crd - kubectl delete crd ${crd}.stash.appscode.com || true - done - - # delete user roles - kubectl delete clusterroles appscode:stash:edit appscode:stash:view - fi - - echo - echo "Successfully uninstalled Stash!" - exit 0 -fi - -echo "checking whether extended apiserver feature is enabled" -$ONESSL has-keys configmap --namespace=kube-system --keys=requestheader-client-ca-file extension-apiserver-authentication || { - echo "Set --requestheader-client-ca-file flag on Kubernetes apiserver" - exit 1 -} -echo "" - -export KUBE_CA= -export STASH_ENABLE_APISERVER=false -if [ "$STASH_ENABLE_VALIDATING_WEBHOOK" = true ] || [ "$STASH_ENABLE_MUTATING_WEBHOOK" = true ]; then - $ONESSL get kube-ca >/dev/null 2>&1 || { - echo "Admission webhooks can't be used when kube apiserver is accesible without verifying its TLS certificate (insecure-skip-tls-verify : true)." - echo - exit 1 - } - export KUBE_CA=$($ONESSL get kube-ca | $ONESSL base64) - export STASH_ENABLE_APISERVER=true -fi - -env | sort | grep STASH* -echo "" - -# create necessary TLS certificates: -# - a local CA key and cert -# - a webhook server key and cert signed by the local CA -$ONESSL create ca-cert -$ONESSL create server-cert server --domains=stash-operator.$STASH_NAMESPACE.svc -export SERVICE_SERVING_CERT_CA=$(cat ca.crt | $ONESSL base64) -export TLS_SERVING_CERT=$(cat server.crt | $ONESSL base64) -export TLS_SERVING_KEY=$(cat server.key | $ONESSL base64) - -${SCRIPT_LOCATION}hack/deploy/operator.yaml | $ONESSL envsubst | kubectl apply -f - - -${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f - -${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f - -${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f - - -if [ "$STASH_RUN_ON_MASTER" -eq 1 ]; then - kubectl patch deploy stash-operator -n $STASH_NAMESPACE \ - --patch="$(${SCRIPT_LOCATION}hack/deploy/run-on-master.yaml)" -fi - -echo "Applying Pod Sucurity Policies" -${SCRIPT_LOCATION}hack/deploy/psp/operator.yaml | $ONESSL envsubst | kubectl apply -f - -${SCRIPT_LOCATION}hack/deploy/psp/backupsession-cron.yaml | $ONESSL envsubst | kubectl apply -f - -${SCRIPT_LOCATION}hack/deploy/psp/backup-job.yaml | $ONESSL envsubst | kubectl apply -f - -${SCRIPT_LOCATION}hack/deploy/psp/restore-job.yaml | $ONESSL envsubst | kubectl apply -f - - -if [ "$STASH_ENABLE_APISERVER" = true ]; then - ${SCRIPT_LOCATION}hack/deploy/apiservices.yaml | $ONESSL envsubst | kubectl apply -f - -fi -if [ "$STASH_ENABLE_VALIDATING_WEBHOOK" = true ]; then - ${SCRIPT_LOCATION}hack/deploy/validating-webhook.yaml | $ONESSL envsubst | kubectl apply -f - -fi -if [ "$STASH_ENABLE_MUTATING_WEBHOOK" = true ]; then - ${SCRIPT_LOCATION}hack/deploy/mutating-webhook.yaml | $ONESSL envsubst | kubectl apply -f - -fi - -echo -echo "waiting until stash operator deployment is ready" -$ONESSL wait-until-ready deployment stash-operator --namespace $STASH_NAMESPACE || { - echo "Stash operator deployment failed to be ready" - exit 1 -} - -if [ "$STASH_ENABLE_APISERVER" = true ]; then - echo "waiting until stash apiservice is available" - $ONESSL wait-until-ready apiservice v1alpha1.admission.stash.appscode.com || { - echo "Stash apiservice failed to be ready" - exit 1 - } -fi - -echo "waiting until stash crds are ready" -for crd in "${crds[@]}"; do - $ONESSL wait-until-ready crd ${crd}.stash.appscode.com || { - echo "$crd crd failed to be ready" - exit 1 - } -done - -if [ "$STASH_ENABLE_VALIDATING_WEBHOOK" = true ]; then - echo "checking whether admission webhook(s) are activated or not" - active=$($ONESSL wait-until-has annotation \ - --apiVersion=apiregistration.k8s.io/v1beta1 \ - --kind=APIService \ - --name=v1alpha1.admission.stash.appscode.com \ - --key=admission-webhook.appscode.com/active \ - --timeout=5m || { - echo - echo "Failed to check if admission webhook(s) are activated or not. Please check operator logs to debug further." - exit 1 - }) - if [ "$active" = false ]; then - echo - echo "Admission webhooks are not activated." - echo "Enable it by configuring --enable-admission-plugins flag of kube-apiserver." - echo "For details, visit: https://appsco.de/kube-apiserver-webhooks ." - echo "After admission webhooks are activated, please uninstall and then reinstall Stash operator." - # uninstall misconfigured webhooks to avoid failures - kubectl delete validatingwebhookconfiguration -l app=stash || true - exit 1 - fi -fi - -# configure prometheus monitoring -if [ "$MONITORING_AGENT" != "$MONITORING_AGENT_NONE" ]; then - # if operator monitoring is enabled and prometheus-namespace is provided, - # create stash-apiserver-cert there. this will be mounted on prometheus pod. - if [ "$MONITORING_OPERATOR" = "true" ] && [ "$PROMETHEUS_NAMESPACE" != "$STASH_NAMESPACE" ]; then - ${SCRIPT_LOCATION}hack/deploy/monitor/apiserver-cert.yaml | $ONESSL envsubst | kubectl apply -f - - fi - - case "$MONITORING_AGENT" in - "$MONITORING_AGENT_BUILTIN") - # apply common annotation - kubectl annotate service stash-operator -n "$STASH_NAMESPACE" prometheus.io/scrape="true" --overwrite - - # apply pushgateway specific annotation - if [ "$MONITORING_BACKUP" = "true" ]; then - kubectl annotate service stash-operator -n "$STASH_NAMESPACE" --overwrite \ - prometheus.io/pushgateway_path="/metrics" \ - prometheus.io/pushgateway_port="56789" \ - prometheus.io/pushgateway_scheme="http" - fi - - # apply operator specific annotation - if [ "$MONITORING_OPERATOR" = "true" ]; then - kubectl annotate service stash-operator -n "$STASH_NAMESPACE" --overwrite \ - prometheus.io/operator_path="/metrics" \ - prometheus.io/operator_port="8443" \ - prometheus.io/operator_scheme="https" - fi - ;; - "$MONITORING_AGENT_COREOS_OPERATOR") - if [ "$MONITORING_BACKUP" = "true" ] && [ "$MONITORING_OPERATOR" = "true" ]; then - ${SCRIPT_LOCATION}hack/deploy/monitor/servicemonitor.yaml | $ONESSL envsubst | kubectl apply -f - - elif [ "$MONITORING_BACKUP" = "true" ] && [ "$MONITORING_OPERATOR" = "false" ]; then - ${SCRIPT_LOCATION}hack/deploy/monitor/servicemonitor-backup.yaml | $ONESSL envsubst | kubectl apply -f - - elif [ "$MONITORING_BACKUP" = "false" ] && [ "$MONITORING_OPERATOR" = "true" ]; then - ${SCRIPT_LOCATION}hack/deploy/monitor/servicemonitor-operator.yaml | $ONESSL envsubst | kubectl apply -f - - fi - ;; - esac -fi - -echo -echo "Successfully installed Stash in $STASH_NAMESPACE namespace!" diff --git a/hack/deploy/user-roles.yaml b/hack/deploy/user-roles.yaml deleted file mode 100644 index 53bda5388..000000000 --- a/hack/deploy/user-roles.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: appscode:stash:edit - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - rbac.authorization.k8s.io/aggregate-to-edit: "true" -rules: -- apiGroups: - - stash.appscode.com - resources: - - restics - - recoveries - - repositories - verbs: ["*"] -- apiGroups: - - repositories.stash.appscode.com - resources: - - snapshots - verbs: ["delete", "deletecollection", "get", "list"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: appscode:stash:view - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" -rules: -- apiGroups: - - stash.appscode.com - resources: - - restics - - recoveries - - repositories - verbs: ["get", "list", "watch"] -- apiGroups: - - repositories.stash.appscode.com - resources: - - snapshots - verbs: ["get", "list"] diff --git a/hack/deploy/validating-webhook.yaml b/hack/deploy/validating-webhook.yaml deleted file mode 100644 index 637b4ac67..000000000 --- a/hack/deploy/validating-webhook.yaml +++ /dev/null @@ -1,83 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - name: admission.stash.appscode.com - labels: - app: stash -webhooks: -- name: restic.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/resticvalidators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - restics - failurePolicy: Fail - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: recovery.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/recoveryvalidators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - recoveries - failurePolicy: Fail - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: repository.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1alpha1/repositoryvalidators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - repositories - failurePolicy: Fail - ${STASH_WEBHOOK_SIDE_EFFECTS} -- name: restoresession.admission.stash.appscode.com - clientConfig: - service: - namespace: default - name: kubernetes - path: /apis/admission.stash.appscode.com/v1beta1/restoresessionvalidators - caBundle: ${KUBE_CA} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - stash.appscode.com - apiVersions: - - "*" - resources: - - restoresessions - failurePolicy: Fail - ${STASH_WEBHOOK_SIDE_EFFECTS}