Merge pull request #403 from monasca/monasca-cleanup-rbac

[monasca] add RBAC rules for monasca-agent and the cleanup job

monasca/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 description: A Helm chart for Monasca running in Kubernetes
 name: monasca
-version: 0.5.0
+version: 0.6.0
 sources:
 - https://wiki.openstack.org/wiki/Monasca
 maintainers:

monasca/templates/agent-clusterrole.yaml

@@ -0,0 +1,30 @@
+{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }}
+kind: ClusterRole
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+{{- end }}
+metadata:
+  name: "{{ template "agent.fullname" . }}"
+rules:
+  - apiGroups: ["", "extensions", "storage.k8s.io"]
+    verbs: ["get", "list"]
+    resources:
+      - namespaces
+      - pods
+      - replicasets
+      - deployments
+      - replicationcontrollers
+      - nodes
+      - services
+      - componentstatuses
+      - storageclasses
+  - apiGroups: ["", "batch", "extensions", "storage.k8s.io"]
+    verbs: ["get", "list", "delete"]
+    resources:
+      - jobs
+      - pods
+{{- end  }}

monasca/templates/agent-clusterrolebinding.yaml

@@ -0,0 +1,20 @@
+{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }}
+kind: ClusterRoleBinding
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+{{- end }}
+metadata:
+  name: "{{ template "agent.fullname" . }}"
+subjects:
+  - kind: ServiceAccount
+    name: "{{ template "agent.fullname" . }}"
+    namespace: "{{ .Release.Namespace }}"
+roleRef:
+  kind: ClusterRole
+  name: "{{ template "agent.fullname" . }}"
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

monasca/templates/agent-daemonset.yaml

@@ -149,4 +149,9 @@ spec:
               value: {{ .Values.agent.forwarder.backlog_send_rate | quote }}
             - name: HOSTNAME_FROM_KUBERNETES
               value: "true"
+      {{- if .Values.agent.serviceAccount }}
+      serviceAccountName: {{ .Values.agent.serviceAccount | quote }}
+      {{- else if .Values.rbac.create }}
+      serviceAccountName: "{{ template "agent.fullname" . }}"
+      {{- end }}
 {{- end}}

monasca/templates/agent-deployment.yaml

@@ -147,4 +147,9 @@ spec:
           configMap:
             name: {{ template "agent.fullname" . }}
       {{- end}}
+      {{- if .Values.agent.serviceAccount }}
+      serviceAccountName: {{ .Values.agent.serviceAccount | quote }}
+      {{- else if .Values.rbac.create }}
+      serviceAccountName: "{{ template "agent.fullname" . }}"
+      {{- end }}
 {{- end}}

monasca/templates/agent-serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if and (.Values.rbac.create) (not .Values.agent.serviceAccount) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "{{ template "agent.fullname" . }}"
+  labels:
+    app: {{ template "fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: "{{ .Values.agent.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- end }}

monasca/templates/cleanup-hook.yaml

@@ -40,3 +40,8 @@ spec:
               value: "{{ .Values.cleanup.wait.delay }}"
             - name: "WAIT_TIMEOUT"
               value: "{{ .Values.cleanup.wait.timeout }}"
+      {{- if .Values.cleanup.serviceAccount }}
+      serviceAccountName: {{ .Values.cleanup.serviceAccount | quote }}
+      {{- else if .Values.rbac.create }}
+      serviceAccountName: "{{ template "cleanup.fullname" . }}"
+      {{- end }}

monasca/templates/cleanup-role.yaml

@@ -0,0 +1,25 @@
+{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+{{- end }}
+kind: Role
+metadata:
+  name: {{ template "cleanup.fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: "{{ .Values.cleanup.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete", "patch"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "delete"]
+{{- end }}

monasca/templates/cleanup-rolebinding.yaml

@@ -0,0 +1,26 @@
+{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1alpha1" }}
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: {{ template "cleanup.fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: "{{ .Values.cleanup.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cleanup.fullname" . }}
+    namespace: "{{ .Release.Namespace }}"
+roleRef:
+  kind: Role
+  name: {{ template "cleanup.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

monasca/templates/cleanup-serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if and (.Values.rbac.create) (not .Values.cleanup.serviceAccount) }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "cleanup.fullname" . }}
+  labels:
+    app: {{ template "fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    component: "{{ .Values.cleanup.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+{{- end }}

monasca/values.yaml

@@ -111,6 +111,12 @@ mysql:
 
 agent:
   name: agent
+
+  # an optional preexisting ServiceAccount to use
+  # to create a service account automatically for the agent, deploy with:
+  # rbac.create=true
+  serviceAccount: ''
+
   daemonset_enabled: true
   deployment_enabled: true
   daemonset_toleration:
@@ -667,11 +673,15 @@ client:
     project_domain_name: Default
 
 rbac:
-  enabled: false
-  apiVersion: rbac.authorization.k8s.io/v1beta1
+  create: false
 
 cleanup:
   name: cleanup
+
+  # an optional preexisting ServiceAccount to use
+  # to create a service account for the job automatically, deploy with:
+  # rbac.create=true
+  serviceAccount: ''
   image:
     repository: monasca/job-cleanup
     tag: 1.2.1
@@ -1600,8 +1610,8 @@ smoke_tests:
 
 alarm_definition_controller:
   name: adc
-  controller_enabled: true
-  resource_enabled: true
+  controller_enabled: false
+  resource_enabled: false
   image:
     repository: monasca/alarm-definition-controller
     tag: 1.1.0