helm/infrastructure/templates/deployment-tiller.yaml

{{/*
   Copyright (c) 2019 AT&T Intellectual Property.
   Copyright (c) 2019 Nokia.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/}}
{{- if .Values.common }}
{{- if .Values.common.tillers }}
{{- $topCtx :=  . }}
{{- range keys .Values.common.tillers }}
{{- $key := . }}
{{- with index $topCtx.Values.common.tillers . }}
{{- $nameSpace := .nameSpace }}
{{- $deployNameSpace := .deployNameSpace }}
{{- $img := .image.tiller }}
{{- $secretName := default "tiller-secret" .secret.tillerSecretName }}
{{- $imgPullPolicy := .imagePullPolicy }}
{{- $ctx := dict "ctx" $topCtx "key" $key }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "common.serviceaccountname.tiller" $ctx }}
  namespace: {{ $deployNameSpace }}
---  
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: {{ include "common.tillerName" $ctx }}-tiller-base
  namespace: {{ $nameSpace }}
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: [ {{ $secretName }} ]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["pods/portforward"]
  verbs: ["create"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get"]
- apiGroups: [""]  
  resources: ["pods", "configmaps", "deployments", "services"]
  verbs: ["get", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-base
  namespace: {{ $nameSpace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "common.tillerName" $ctx }}-tiller-base
subjects:
  - kind: ServiceAccount
    name: {{ include "common.serviceaccountname.tiller" $ctx }}
    namespace: {{ $deployNameSpace }}
---  
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: {{ include "common.tillerName" $ctx }}-tiller-operation
  namespace: {{ $deployNameSpace }}
rules:
- apiGroups: [""]  
  resources: ["configmaps"]
  verbs: ["get", "list", "create", "delete", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-operation
  namespace: {{ $deployNameSpace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "common.tillerName" $ctx }}-tiller-operation
subjects:
  - kind: ServiceAccount
    name: {{ include "common.serviceaccountname.tiller" $ctx }}
    namespace: {{ $deployNameSpace }}
{{- if .serviceAccount.role }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: {{ include "common.tillerName" $ctx }}-tiller-deployer
  namespace: {{ $nameSpace }}
rules:
{{ toYaml .serviceAccount.role }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ include "common.serviceaccountname.tiller" $ctx }}-{{ $nameSpace }}-tiller-deployer
  namespace: {{ $nameSpace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "common.tillerName" $ctx }}-tiller-deployer
subjects:
  - kind: ServiceAccount
    name: {{ include "common.serviceaccountname.tiller" $ctx }}
    namespace: {{ $deployNameSpace }}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: helm
    name: tiller
  name: {{ include "common.deploymentname.tiller" $ctx }}
  namespace: {{ $deployNameSpace }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: helm
      name: tiller
  template:
    metadata:
      labels:
        app: helm
        name: tiller
    spec:
      automountServiceAccountToken: true
      {{- $newctx := dict "ctx" $topCtx "defaultregistry" $img.registry }}
      imagePullSecrets:
        - name: {{ include "common.dockerregistry.credential" $newctx }}
      containers:
      - env:
        - name: TILLER_NAMESPACE
          value: {{ $deployNameSpace }}
        - name: TILLER_HISTORY_MAX
          value: "0"
        - name: TILLER_TLS_VERIFY
          value: "1"
        - name: TILLER_TLS_ENABLE
          value: "1"
        - name: TILLER_TLS_CERTS
          value: /etc/certs
        image: {{ include "common.dockerregistry.url" $newctx }}/{{- $img.name -}}:{{- $img.tag }}
        {{- $newctx := dict "ctx" $topCtx "defaultpullpolicy" $imgPullPolicy }}
        imagePullPolicy: {{ include "common.dockerregistry.pullpolicy" $newctx }}
        livenessProbe:
          httpGet:
            path: /liveness
            port: 44135
          initialDelaySeconds: 1
          timeoutSeconds: 1
        name: tiller
        ports:
        - containerPort: 44134
          name: tiller
        - containerPort: 44135
          name: http
        readinessProbe:
          httpGet:
            path: /readiness
            port: 44135
          initialDelaySeconds: 1
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /etc/certs
          name: tiller-certs
          readOnly: true
      serviceAccountName: {{ include "common.serviceaccountname.tiller" $ctx }}
      volumes:
      - name: tiller-certs
        secret:
          secretName: {{ $secretName }}
---
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: helm
    name: tiller
  name: {{ include "common.servicename.tiller" $ctx }}
  namespace: {{ $deployNameSpace }}
spec:
  ports:
  - name: tiller
    port: {{ default 44134 .port }}
    targetPort: tiller
  selector:
    app: helm
    name: tiller
  type: ClusterIP
{{- end }}
{{- end }}
{{- end }}
{{- end }}