Gitiles
Code Review Sign In
gerrit.nordix.org / oransc / ric-plt / ric-dep / cd6dd98c1cbcdac0d7c1167ee38b02534f8e248f / . / helm / infrastructure / templates / deployment-tiller.yaml
blob: e2d58b06331a67266a558de4a0ef6784b16b662f [file] [log] [blame]
{{/*
Copyright (c) 2019 AT&T Intellectual Property.
Copyright (c) 2019 Nokia.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.common }}
{{- if .Values.common.tillers }}
{{- $topCtx := . }}
{{- range keys .Values.common.tillers }}
{{- $key := . }}
{{- with index $topCtx.Values.common.tillers . }}
{{- $nameSpace := .nameSpace }}
{{- $deployNameSpace := .deployNameSpace }}
{{- $img := .image.tiller }}
{{- $secretName := default "tiller-secret" .secret.tillerSecretName }}
{{- $imgPullPolicy := .imagePullPolicy }}
{{- $ctx := dict "ctx" $topCtx "key" $key }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ include "common.tillerName" $ctx }}-tiller-base
namespace: {{ $nameSpace }}
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [ {{ $secretName }} ]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/portforward"]
verbs: ["create"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods", "configmaps", "deployments", "services"]
verbs: ["get", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-base
namespace: {{ $nameSpace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "common.tillerName" $ctx }}-tiller-base
subjects:
- kind: ServiceAccount
name: {{ include "common.serviceaccountname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ include "common.tillerName" $ctx }}-tiller-operation
namespace: {{ $deployNameSpace }}
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create", "delete", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-operation
namespace: {{ $deployNameSpace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "common.tillerName" $ctx }}-tiller-operation
subjects:
- kind: ServiceAccount
name: {{ include "common.serviceaccountname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
{{- if .serviceAccount.role }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ include "common.tillerName" $ctx }}-tiller-deployer
namespace: {{ $nameSpace }}
rules:
{{ toYaml .serviceAccount.role }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-deployer
namespace: {{ $nameSpace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "common.tillerName" $ctx }}-tiller-deployer
subjects:
- kind: ServiceAccount
name: {{ include "common.serviceaccountname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: helm
name: tiller
name: {{ include "common.deploymentname.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
template:
metadata:
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
{{- $newctx := dict "ctx" $topCtx "defaultregistry" $img.registry }}
imagePullSecrets:
- name: {{ include "common.dockerregistry.credential" $newctx }}
containers:
- env:
- name: TILLER_NAMESPACE
value: {{ $deployNameSpace }}
- name: TILLER_HISTORY_MAX
value: "0"
- name: TILLER_TLS_VERIFY
value: "1"
- name: TILLER_TLS_ENABLE
value: "1"
- name: TILLER_TLS_CERTS
value: /etc/certs
image: {{ include "common.dockerregistry.url" $newctx }}/{{- $img.name -}}:{{- $img.tag }}
{{- $newctx := dict "ctx" $topCtx "defaultpullpolicy" $imgPullPolicy }}
imagePullPolicy: {{ include "common.dockerregistry.pullpolicy" $newctx }}
livenessProbe:
httpGet:
path: /liveness
port: 44135
initialDelaySeconds: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
name: tiller
- containerPort: 44135
name: http
readinessProbe:
httpGet:
path: /readiness
port: 44135
initialDelaySeconds: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/certs
name: tiller-certs
readOnly: true
serviceAccountName: {{ include "common.serviceaccountname.tiller" $ctx }}
volumes:
- name: tiller-certs
secret:
secretName: {{ $secretName }}
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
name: {{ include "common.servicename.tiller" $ctx }}
namespace: {{ $deployNameSpace }}
spec:
ports:
- name: tiller
port: {{ default 44134 .port }}
targetPort: tiller
selector:
app: helm
name: tiller
type: ClusterIP
{{- end }}
{{- end }}
{{- end }}
{{- end }}