Skip to content

Commit

Permalink
Merge pull request #132 from jacobweinstock/global
Browse files Browse the repository at this point in the history
Improve rbac setting by using Helm globals:

## Description

<!--- Please describe what this PR is going to change -->
This allows all rbac to be toggled between Role and ClusterRole. It also simplifies the trustedProxies for Hegel and Smee and the loadBalancerIP/publicIP shared between the stack and Smee. The Helm install experience is improved, in my opinion.

I also removed all the required fields in the values.schema.json so that flexibility of configuration is not limited.

## Why is this needed

<!--- Link to issue you have raised -->

Fixes: #

## How Has This Been Tested?
<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran to -->
<!--- see how your change affects other areas of the code, etc. -->


## How are existing users impacted? What migration steps/scripts do we need?

<!--- Fixes a bug, unblocks installation, removes a component of the stack etc -->
<!--- Requires a DB migration script, etc. -->


## Checklist:

I have:

- [ ] updated the documentation and/or roadmap (if required)
- [ ] added unit or e2e tests
- [ ] provided instructions on how to upgrade
jacobweinstock authored Oct 16, 2024
2 parents 250a50f + 5ecad7f commit 11daaea
Showing 24 changed files with 396 additions and 369 deletions.
10 changes: 8 additions & 2 deletions tinkerbell/hegel/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
{{- if .Values.deploy }}
{{- $trustedProxies := .Values.trustedProxies }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $trustedProxies = coalesce .Values.trustedProxies .Values.global.trustedProxies }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -32,15 +38,15 @@ spec:
- args:
- --backend=kubernetes
- --http-addr=:{{ .Values.deployment.port }}
{{- if eq .Values.rbac.type "Role"}}
{{- if eq $roleType "Role"}}
- --kubernetes-namespace={{ .Release.Namespace }}
{{- end }}
{{- range .Values.args }}
- {{ . }}
{{- end }}
env:
- name: HEGEL_TRUSTED_PROXIES
value: {{ required "missing trustedProxies" ( join "," .Values.trustedProxies | quote ) }}
value: {{ required "missing trustedProxies" ( join "," $trustedProxies | quote ) }}
{{- range $i, $env := .Values.env }}
- name: {{ $env.name | quote }}
value: {{ $env.value | quote }}
8 changes: 6 additions & 2 deletions tinkerbell/hegel/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ .Values.rbac.type }}
kind: {{ $roleType }}
metadata:
name: {{ .Values.rbac.name }}
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
rules:
10 changes: 7 additions & 3 deletions tinkerbell/hegel/templates/rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ printf "%sBinding" .Values.rbac.type }}
kind: {{ printf "%sBinding" $roleType }}
metadata:
name: {{ .Values.rbac.bindingName }}
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ .Values.rbac.type }}
kind: {{ $roleType }}
name: {{ .Values.rbac.name }}
subjects:
- kind: ServiceAccount
58 changes: 8 additions & 50 deletions tinkerbell/hegel/values.schema.json
Original file line number Diff line number Diff line change
@@ -23,10 +23,7 @@
"port": {
"type": "integer"
}
},
"required": [
"port"
]
}
},
"deployment": {
"type": "object",
@@ -37,11 +34,7 @@
"portName": {
"type": "string"
}
},
"required": [
"port",
"portName"
]
}
},
"resources": {
"type": "object",
@@ -55,11 +48,7 @@
"memory": {
"type": "string"
}
},
"required": [
"cpu",
"memory"
]
}
},
"requests": {
"type": "object",
@@ -70,17 +59,9 @@
"memory": {
"type": "string"
}
},
"required": [
"cpu",
"memory"
]
}
}
},
"required": [
"limits",
"requests"
]
}
},
"rbac": {
"type": "object",
@@ -95,12 +76,7 @@
"bindingName": {
"type": "string"
}
},
"required": [
"type",
"name",
"bindingName"
]
}
},
"nodeSelector": {
"type": "object"
@@ -118,25 +94,7 @@
"nodeAffinityWeight": {
"type": "integer"
}
},
"required": [
"controlPlaneTolerationsEnabled",
"nodeAffinityWeight"
]
}
}
},
"required": [
"deploy",
"name",
"image",
"imagePullPolicy",
"replicas",
"service",
"deployment",
"resources",
"rbac",
"nodeSelector",
"trustedProxies",
"singleNodeClusterConfig"
]
}
}
6 changes: 5 additions & 1 deletion tinkerbell/rufio/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -41,7 +45,7 @@ spec:
- /manager
args:
- --leader-elect
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
- -kube-namespace={{ .Release.Namespace }}
{{- end }}
{{- range .Values.additionalArgs }}
10 changes: 7 additions & 3 deletions tinkerbell/rufio/templates/role-binding.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ printf "%sBinding" .Values.rbac.type }}
kind: {{ printf "%sBinding" $roleType }}
metadata:
name: {{ .Values.rbac.bindingName }}
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ .Values.rbac.type }}
kind: {{ $roleType }}
name: {{ .Values.rbac.name }}
subjects:
- kind: ServiceAccount
8 changes: 6 additions & 2 deletions tinkerbell/rufio/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ .Values.rbac.type }}
kind: {{ $roleType }}
metadata:
name: {{ .Values.rbac.name }}
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
rules:
48 changes: 6 additions & 42 deletions tinkerbell/rufio/values.schema.json
Original file line number Diff line number Diff line change
@@ -26,11 +26,7 @@
"memory": {
"type": "string"
}
},
"required": [
"cpu",
"memory"
]
}
},
"limits": {
"type": "object",
@@ -41,17 +37,9 @@
"memory": {
"type": "string"
}
},
"required": [
"cpu",
"memory"
]
}
}
},
"required": [
"requests",
"limits"
]
}
},
"additionalArgs": {
"type": "array",
@@ -81,11 +69,7 @@
"nodeAffinityWeight": {
"type": "integer"
}
},
"required": [
"controlPlaneTolerationsEnabled",
"nodeAffinityWeight"
]
}
},
"rbac": {
"type": "object",
@@ -100,27 +84,7 @@
"bindingName": {
"type": "string"
}
},
"required": [
"type",
"name",
"bindingName"
]
}
}
},
"required": [
"deploy",
"name",
"image",
"imagePullPolicy",
"resources",
"additionalArgs",
"serviceAccountName",
"rufioLeaderElectionRoleName",
"rufioLeaderElectionRoleBindingName",
"nodeSelector",
"hostNetwork",
"singleNodeClusterConfig",
"rbac"
]
}
}
26 changes: 17 additions & 9 deletions tinkerbell/smee/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,19 @@
{{- if .Values.deploy }}
{{- $_ := set .Values.dhcp "syslogIp" (default .Values.publicIP .Values.dhcp.syslogIp) }}
{{- $_ := set .Values.dhcp "ipForPacket" (default .Values.publicIP .Values.dhcp.ipForPacket) }}
{{- $_ := set .Values.dhcp "tftpIp" (default .Values.publicIP .Values.dhcp.tftpIp) }}
{{- $_ := set .Values.dhcp.httpIPXE.binaryUrl "host" (default .Values.publicIP .Values.dhcp.httpIPXE.binaryUrl.host) }}
{{- $_ := set .Values.dhcp.httpIPXE.scriptUrl "host" (default .Values.publicIP .Values.dhcp.httpIPXE.scriptUrl.host) }}
{{- $_ := set .Values.http.tinkServer "ip" (default .Values.publicIP .Values.http.tinkServer.ip) }}
{{- $_ := set .Values.http.osieUrl "host" (default .Values.publicIP .Values.http.osieUrl.host) }}
{{- $publicIP := .Values.publicIP }}
{{- $trustedProxies := .Values.trustedProxies }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $publicIP = coalesce .Values.publicIP .Values.global.publicIP }}
{{- $trustedProxies = coalesce .Values.trustedProxies .Values.global.trustedProxies }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
{{- $_ := set .Values.dhcp "syslogIp" (default $publicIP .Values.dhcp.syslogIp) }}
{{- $_ := set .Values.dhcp "ipForPacket" (default $publicIP .Values.dhcp.ipForPacket) }}
{{- $_ := set .Values.dhcp "tftpIp" (default $publicIP .Values.dhcp.tftpIp) }}
{{- $_ := set .Values.dhcp.httpIPXE.binaryUrl "host" (default $publicIP .Values.dhcp.httpIPXE.binaryUrl.host) }}
{{- $_ := set .Values.dhcp.httpIPXE.scriptUrl "host" (default $publicIP .Values.dhcp.httpIPXE.scriptUrl.host) }}
{{- $_ := set .Values.http.tinkServer "ip" (default $publicIP .Values.http.tinkServer.ip) }}
{{- $_ := set .Values.http.osieUrl "host" (default $publicIP .Values.http.osieUrl.host) }}
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -42,7 +50,7 @@ spec:
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
- -log-level={{ .Values.logLevel }}
{{- if eq .Values.rbac.type "Role"}}
{{- if eq $roleType "Role"}}
- -backend-kube-namespace={{ .Release.Namespace }}
{{- end }}
- -dhcp-addr={{ printf "%v:%v" .Values.dhcp.ip .Values.dhcp.port }}
@@ -62,7 +70,7 @@ spec:
- -osie-url={{include "urlJoiner" (dict "urlDict" .Values.http.osieUrl)}}
- -tink-server={{ printf "%v:%v" .Values.http.tinkServer.ip .Values.http.tinkServer.port }}
- -tink-server-tls={{ .Values.http.tinkServer.tls }}
- -trusted-proxies={{ required "missing trustedProxies" ( join "," .Values.trustedProxies ) }}
- -trusted-proxies={{ required "missing trustedProxies" ( join "," $trustedProxies ) }}
- -syslog-enabled={{ .Values.syslog.enabled }}
- -ipxe-script-patch={{ .Values.ipxeScriptPatch }}
- -tftp-enabled={{ .Values.tftp.enabled }}
10 changes: 7 additions & 3 deletions tinkerbell/smee/templates/role-binding.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,18 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ printf "%sBinding" .Values.rbac.type }}
kind: {{ printf "%sBinding" $roleType }}
metadata:
name: {{ .Values.rbac.bindingName }}
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: {{ .Values.rbac.type }}
kind: {{ $roleType }}
name: {{ .Values.rbac.name }}
subjects:
- kind: ServiceAccount
8 changes: 6 additions & 2 deletions tinkerbell/smee/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
{{- if .Values.deploy }}
{{- $roleType := .Values.rbac.type }}
{{- if .Values.global }}
{{- $roleType = coalesce .Values.global.rbac.type .Values.rbac.type }}
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
kind: {{ .Values.rbac.type }}
kind: {{ $roleType }}
metadata:
name: {{ .Values.rbac.name }}
{{- if eq .Values.rbac.type "Role" }}
{{- if eq $roleType "Role" }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
rules:
Loading

0 comments on commit 11daaea

Please sign in to comment.