diff --git a/minion/Chart.yaml b/minion/Chart.yaml index 0a0804e..604bbc0 100644 --- a/minion/Chart.yaml +++ b/minion/Chart.yaml @@ -17,7 +17,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.1.2 +version: 1.1.3 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/minion/OpenShift_README.md b/minion/OpenShift_README.md index 6babc3b..c66535b 100644 --- a/minion/OpenShift_README.md +++ b/minion/OpenShift_README.md @@ -23,7 +23,6 @@ This documentation provides basic information on how to install Minion on Red Ha 6. Under Repository, select the newly created repository entry. 7. Click on Minion. 8. Make sure that the project name matches the name you set in step 2. - * Skip this step if you are setting “CreateNamespace” option to true. 9. Make the required modifications (for example, set the PostgreSQL information). 10. Click Create. 11. Wait for the pods to come up. This may take a few minutes. diff --git a/minion/README.md b/minion/README.md index 31f5623..7f1f3c7 100644 --- a/minion/README.md +++ b/minion/README.md @@ -16,7 +16,6 @@ This template can be used to bring up a minion and connect it to a OpenNMS core. | clusterRole | bool | `true` | | | clusterRoleBinding | bool | `true` | | | core.instanceID | string | `"monms"` | | -| createNamespace | bool | `false` | | | imagePullSecrets | list | `[]` | | | minion.configuration.ports.karaf.enabled | bool | `true` | | | minion.configuration.ports.karaf.externalPort | int | `8201` | | @@ -40,8 +39,10 @@ This template can be used to bring up a minion and connect it to a OpenNMS core. | securitycontext.allowPrivilegeEscalation | bool | `true` | | | securitycontext.allowedCapabilities[0] | string | `"NET_BIND_SERVICE"` | | | securitycontext.allowedCapabilities[1] | string | `"CAP_NET_RAW"` | | +| securitycontext.securitycontextconstraints.create | bool | `true` | | | securitycontext.securitycontextconstraints.enabled | bool | `true` | | | securitycontext.securitycontextconstraints.name | string | `"minion-scc"` | | +| securitycontext.serviceaccount.create | bool | `true` | | | securitycontext.serviceaccount.enabled | bool | `true` | | | securitycontext.serviceaccount.name | string | `"minion-sa"` | | | truststore.content | string | `""` | | diff --git a/minion/templates/docker.secret.yaml b/minion/templates/docker.secret.yaml index d0e808c..7aab1ed 100644 --- a/minion/templates/docker.secret.yaml +++ b/minion/templates/docker.secret.yaml @@ -1,5 +1,5 @@ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -{{- $namespace := .Release.Name }} +{{- $namespace := .Release.Namespace }} {{- range $k, $r := .Values.imagePullSecrets }} # TODO: find a better way to format this JSON that won't be sensitive to special characters {{- $json := printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" $r.dockerServer $r.dockerUsername $r.dockerPassword $r.dockerEmail (printf "%s:%s" $r.dockerUsername $r.dockerPassword | b64enc) }} @@ -9,7 +9,6 @@ kind: Secret type: kubernetes.io/dockerconfigjson metadata: name: {{ $r.name }} - namespace: {{ $namespace }} data: .dockerconfigjson: {{ $json | b64enc }} {{- end }} diff --git a/minion/templates/minion-configmap.yaml b/minion/templates/minion-configmap.yaml index 380a5d0..f8ec35c 100644 --- a/minion/templates/minion-configmap.yaml +++ b/minion/templates/minion-configmap.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: minion-settings - namespace: {{ .Release.Name }} data: minion-config.yaml: | id: {{ .Values.minion.name }} diff --git a/minion/templates/minion-core.sa.yaml b/minion/templates/minion-core.sa.yaml index f31fbb9..a7dfa2b 100644 --- a/minion/templates/minion-core.sa.yaml +++ b/minion/templates/minion-core.sa.yaml @@ -1,8 +1,7 @@ -{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).serviceaccount.enabled) }} +{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).serviceaccount.create) ((.Values.securitycontext).serviceaccount.enabled) }} --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ (.Values.securitycontext).serviceaccount.name | quote }} - namespace: {{ .Release.Name }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/minion/templates/minion-core.scc.yaml b/minion/templates/minion-core.scc.yaml index 9a391a4..3ebebe8 100644 --- a/minion/templates/minion-core.scc.yaml +++ b/minion/templates/minion-core.scc.yaml @@ -1,9 +1,8 @@ -{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).securitycontextconstraints.enabled) }} +{{- if and (eq (include "onOpenShift" .) "true") ((.Values.securitycontext).securitycontextconstraints.create) ((.Values.securitycontext).securitycontextconstraints.enabled) }} --- kind: SecurityContextConstraints metadata: name: {{ (.Values.securitycontext).securitycontextconstraints.name | quote }} - namespace: {{ .Release.Name }} allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false diff --git a/minion/templates/minion-data-pvc.yaml b/minion/templates/minion-data-pvc.yaml index 7ab9f29..4171631 100644 --- a/minion/templates/minion-data-pvc.yaml +++ b/minion/templates/minion-data-pvc.yaml @@ -3,7 +3,6 @@ kind: PersistentVolumeClaim metadata: creationTimestamp: null name: minion-data-folder - namespace: {{ .Release.Name }} spec: accessModes: - ReadWriteOnce diff --git a/minion/templates/minion-deployment.yaml b/minion/templates/minion-deployment.yaml index 196a4ac..7653e55 100644 --- a/minion/templates/minion-deployment.yaml +++ b/minion/templates/minion-deployment.yaml @@ -5,7 +5,6 @@ metadata: name: minion labels: app: minion - namespace: {{ .Release.Name }} spec: replicas: 1 selector: diff --git a/minion/templates/minion-secret.yaml b/minion/templates/minion-secret.yaml index 04a1f92..49d5e32 100644 --- a/minion/templates/minion-secret.yaml +++ b/minion/templates/minion-secret.yaml @@ -1,9 +1,10 @@ +{{- if .Values.truststore.content }} apiVersion: v1 kind: Secret type: Opaque metadata: name: minion-app-jks - namespace: {{ .Release.Name }} data: # To be mounted at /etc/java/jks truststore.jks: | {{ .Values.truststore.content }} +{{- end }} diff --git a/minion/templates/minion-service.yaml b/minion/templates/minion-service.yaml index 1a09002..4c4cf6e 100644 --- a/minion/templates/minion-service.yaml +++ b/minion/templates/minion-service.yaml @@ -5,7 +5,6 @@ metadata: labels: app: minion name: minion - namespace: {{ .Release.Namespace }} spec: ports: {{- if .Values.minion.configuration.ports.karaf.enabled }} diff --git a/minion/templates/minion.clusterrole.yaml b/minion/templates/minion.clusterrole.yaml index 90dd059..350a5da 100644 --- a/minion/templates/minion.clusterrole.yaml +++ b/minion/templates/minion.clusterrole.yaml @@ -1,3 +1,4 @@ +{{ $name :=(printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name) }} {{- if and (eq (include "onOpenShift" .) "true") (.Values.clusterRole) }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 diff --git a/minion/templates/minion.clusterrolebinding.yaml b/minion/templates/minion.clusterrolebinding.yaml index 66aa3aa..c14762c 100644 --- a/minion/templates/minion.clusterrolebinding.yaml +++ b/minion/templates/minion.clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{ $name :=(printf "system:openshift:scc:%s" (.Values.securitycontext).securitycontextconstraints.name) }} {{- if and (eq (include "onOpenShift" .) "true") (.Values.clusterRoleBinding) }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -6,7 +7,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ (.Values.securitycontext).serviceaccount.name | quote }} - namespace: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/minion/templates/namespace.yaml b/minion/templates/namespace.yaml deleted file mode 100644 index 484e8bb..0000000 --- a/minion/templates/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -{{- if and .Values.createNamespace (not (eq .Release.Name "default")) }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Release.Name }} -{{- end }} \ No newline at end of file diff --git a/minion/values.schema.json b/minion/values.schema.json index 15d5ce8..6752b55 100644 --- a/minion/values.schema.json +++ b/minion/values.schema.json @@ -2,11 +2,6 @@ "$schema": "http://json-schema.org/schema#", "type": "object", "properties": { - "createNamespace": { - "type": "boolean", - "title": "Create Namespace", - "default": false - }, "imagePullSecrets": { "type": "array", "title": "Image Pull Secrets", @@ -214,6 +209,10 @@ "type": "boolean", "default": true }, + "create": { + "type": "boolean", + "default": true + }, "name": { "type": "string", "default": "opennms-scc" @@ -228,6 +227,10 @@ "type": "boolean", "default": true }, + "create": { + "type": "boolean", + "default": true + }, "name": { "type": "string", "default": "opennms-sa" diff --git a/minion/values.yaml b/minion/values.yaml index ff0f2e3..9cf6fb8 100644 --- a/minion/values.yaml +++ b/minion/values.yaml @@ -1,5 +1,3 @@ -createNamespace: false # Whether to create the namespace for this deployment - # Red Hat OpenShift related settings for creating Cluster Role and Binding clusterRole: true clusterRoleBinding: true @@ -63,7 +61,9 @@ securitycontext: allowPrivilegeEscalation: true securitycontextconstraints: enabled: true + create: true name: minion-scc serviceaccount: enabled: true + create: true name: minion-sa