From 4828d25062a60d60e55ffac5a5beaa313948a633 Mon Sep 17 00:00:00 2001 From: ukff <110393214+ukff@users.noreply.github.com> Date: Thu, 3 Oct 2024 12:16:21 +0200 Subject: [PATCH] wip --- resources/keb/templates/globalaccounts.yaml | 128 ++++++++++++++++++ resources/keb/values.yaml | 2 + utils/globalaccounts/apply.sh | 23 ---- .../kyma-environment-globalaccounts.yaml | 72 ---------- 4 files changed, 130 insertions(+), 95 deletions(-) create mode 100644 resources/keb/templates/globalaccounts.yaml delete mode 100755 utils/globalaccounts/apply.sh delete mode 100644 utils/globalaccounts/kyma-environment-globalaccounts.yaml diff --git a/resources/keb/templates/globalaccounts.yaml b/resources/keb/templates/globalaccounts.yaml new file mode 100644 index 0000000000..1330f5a228 --- /dev/null +++ b/resources/keb/templates/globalaccounts.yaml @@ -0,0 +1,128 @@ +{{ if .Values.globalaccounts.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "kyma-environment-globalaccounts" + namespace: kcp-system + labels: + app.kubernetes.io/name: kyma-environment-globalaccounts +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kyma-environment-globalaccounts + template: + metadata: + name: kyma-environment-globalaccounts + labels: + app.kubernetes.io/name: kyma-environment-globalaccounts + spec: + serviceAccountName: kcp-kyma-environment-broker + securityContext: + runAsUser: 2000 + restartPolicy: Always + containers: + - name: kyma-environment-globalaccounts + command: ["/bin/main"] + image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-globalaccounts:1.0.0 + imagePullPolicy: Always + env: + - name: GLOBALACCOUNTS_DATABASE_SECRET_KEY + valueFrom: + secretKeyRef: + name: kcp-storage-client-secret + key: secretKey + optional: true + - name: GLOBALACCOUNTS_DATABASE_USER + valueFrom: + secretKeyRef: + key: postgresql-broker-username + name: kcp-postgresql + - name: GLOBALACCOUNTS_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + key: postgresql-broker-password + name: kcp-postgresql + - name: GLOBALACCOUNTS_DATABASE_HOST + valueFrom: + secretKeyRef: + key: postgresql-serviceName + name: kcp-postgresql + - name: GLOBALACCOUNTS_DATABASE_PORT + valueFrom: + secretKeyRef: + key: postgresql-servicePort + name: kcp-postgresql + - name: GLOBALACCOUNTS_DATABASE_NAME + valueFrom: + secretKeyRef: + key: postgresql-broker-db-name + name: kcp-postgresql + - name: GLOBALACCOUNTS_CIS_ACCOUNTS_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .Values.cis.accounts.secretName | required "please specify .Values.cis.accounts.secretName" | quote }} + key: id + - name: GLOBALACCOUNTS_CIS_ACCOUNTS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .Values.cis.accounts.secretName | required "please specify .Values.cis.accounts.secretName" | quote }} + key: secret + - name: GLOBALACCOUNTS_ACCOUNTS_AUTH_URL + value: {{ .Values.cis.accounts.authURL | required "please specify .Values.cis.accounts.authURL" | quote }} + - name: GLOBALACCOUNTS_ACCOUNTS_SERVICE_URL + value: {{ .Values.cis.accounts.serviceURL | required "please specify .Values.cis.accounts.serviceURL" | quote }} + - name: GLOBALACCOUNTS_DATABASE_SSLMODE + valueFrom: + secretKeyRef: + key: postgresql-sslMode + name: kcp-postgresql + - name: GLOBALACCOUNTS_DATABASE_SSLROOTCERT + value: /secrets/cloudsql-sslrootcert/server-ca.pem + {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled false)}} + volumeMounts: + - name: cloudsql-sslrootcert + mountPath: /secrets/cloudsql-sslrootcert + readOnly: true + {{- end}} + {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled true)}} + - name: cloudsql-proxy + image: {{ .Values.global.images.cloudsql_proxy.repository }}:{{ .Values.global.images.cloudsql_proxy.tag }} + {{- if .Values.global.database.cloudsqlproxy.workloadIdentity.enabled }} + command: ["/cloud-sql-proxy", + "{{ .Values.global.database.managedGCP.instanceConnectionName }}", + "--exit-zero-on-sigterm", + "--private-ip"] + {{- else }} + command: ["/cloud-sql-proxy", + "{{ .Values.global.database.managedGCP.instanceConnectionName }}", + "--exit-zero-on-sigterm", + "--private-ip", + "--credentials-file=/secrets/cloudsql-instance-credentials/credentials.json"] + volumeMounts: + - name: cloudsql-instance-credentials + mountPath: /secrets/cloudsql-instance-credentials + readOnly: true + {{- end }} + {{- with .Values.deployment.securityContext }} + securityContext: + {{ toYaml . | nindent 16 }} + {{- end }} + {{- end}} + {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled true) (eq .Values.global.database.cloudsqlproxy.workloadIdentity.enabled false)}} + volumes: + - name: cloudsql-instance-credentials + secret: + secretName: cloudsql-instance-credentials + {{- end}} + {{- if and (eq .Values.global.database.embedded.enabled false) (eq .Values.global.database.cloudsqlproxy.enabled false)}} + volumes: + - name: cloudsql-sslrootcert + secret: + secretName: kcp-postgresql + items: + - key: postgresql-sslRootCert + path: server-ca.pem + optional: true + {{- end}} +{{ end }} \ No newline at end of file diff --git a/resources/keb/values.yaml b/resources/keb/values.yaml index e360897d56..08a49b8cbc 100644 --- a/resources/keb/values.yaml +++ b/resources/keb/values.yaml @@ -602,3 +602,5 @@ testConfig: kebDeployment: useAnnotations: false weight: "2" + +globalaccounts: false \ No newline at end of file diff --git a/utils/globalaccounts/apply.sh b/utils/globalaccounts/apply.sh deleted file mode 100755 index 3181e47729..0000000000 --- a/utils/globalaccounts/apply.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -# standard bash error handling -set -o nounset # treat unset variables as an error and exit immediately. -set -o errexit # exit immediately when a command fails. -set -E # needs to be set if we want the ERR trap -set -o pipefail # prevents errors in a pipeline from being masked - -deploymentName=kcp-kyma-environment-broker -namespace=kcp-system -kebContainerName=kyma-environment-broker -cloudsqlProxyContainerName=cloudsql-proxy -host=kyma-env-broker - -SCRIPT_CLOUDSQL_PROXY_COMMAND=$(kubectl get deployment $deploymentName -n $namespace -o jsonpath=\ -"{.spec.template.spec.containers[?(@.name==\"$cloudsqlProxyContainerName\")].command}") -SCRIPT_CLOUDSQL_PROXY_IMAGE=$(kubectl get deployment $deploymentName -n $namespace -o jsonpath=\ -"{.spec.template.spec.containers[?(@.name==\"$cloudsqlProxyContainerName\")].image}") - -export SCRIPT_CLOUDSQL_PROXY_COMMAND -export SCRIPT_CLOUDSQL_PROXY_IMAGE - -envsubst < kyma-environment-broker-globalaccounts.yaml | kubectl apply -f - diff --git a/utils/globalaccounts/kyma-environment-globalaccounts.yaml b/utils/globalaccounts/kyma-environment-globalaccounts.yaml deleted file mode 100644 index 8dc13dc1c6..0000000000 --- a/utils/globalaccounts/kyma-environment-globalaccounts.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{ if .Values.globalaccounts.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "kyma-environment-globalaccounts" - namespace: kcp-system - labels: - app.kubernetes.io/name: kyma-environment-globalaccounts -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: kyma-environment-globalaccounts - template: - metadata: - name: kyma-environment-globalaccounts - labels: - app.kubernetes.io/name: kyma-environment-globalaccounts - spec: - serviceAccountName: kcp-kyma-environment-broker - securityContext: - runAsUser: 2000 - restartPolicy: Always - containers: - - name: kyma-environment-globalaccounts - command: ["/bin/main"] - image: europe-docker.pkg.dev/kyma-project/prod/kyma-environment-globalaccounts:1.0.0 - imagePullPolicy: Always - env: - - name: APP_DATABASE_SECRET_KEY - valueFrom: - secretKeyRef: - name: kcp-storage-client-secret - key: secretKey - optional: true - - name: APP_DATABASE_USER - valueFrom: - secretKeyRef: - key: postgresql-broker-username - name: kcp-postgresql - - name: APP_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - key: postgresql-broker-password - name: kcp-postgresql - - name: APP_DATABASE_HOST - valueFrom: - secretKeyRef: - key: postgresql-serviceName - name: kcp-postgresql - - name: APP_DATABASE_PORT - valueFrom: - secretKeyRef: - key: postgresql-servicePort - name: kcp-postgresql - - name: APP_DATABASE_NAME - valueFrom: - secretKeyRef: - key: postgresql-broker-db-name - name: kcp-postgresql - - name: APP_DATABASE_SSLMODE - valueFrom: - secretKeyRef: - key: postgresql-sslMode - name: kcp-postgresql - - name: APP_DATABASE_SSLROOTCERT - value: /secrets/cloudsql-sslrootcert/server-ca.pem - - name: cloudsql-proxy - image: ${SCRIPT_CLOUDSQL_PROXY_IMAGE} - imagePullPolicy: IfNotPresent - command: ${SCRIPT_CLOUDSQL_PROXY_COMMAND} # set by script -{{ end }} \ No newline at end of file