Chart Grooming (#14)

* Chart Grooming - Changed the default `workflow-controller` installation to use the `ServiceAccount` that is created and bound. - Customized the instanceID logic: - No longer defaults to installed (this was very difficult to see/understand when coming from starter tutorials) - Kept logic to allow for release name or explicit mappings but changed structure a bit - Added in optional configuration for: - CRD Install hook's ServiceAccount to allow clean install if your default roles aren't privledged - Optional Pod and Service annotations - Controller logging level configuration - Minio Customizations - Changed the Secret configuration to properly represent the path of a secret instead of the actual contents - Changed the names of the secret and service that are represented to mirror that of the underlying chart * Adding in role bindings for minio secrets if installed
2018-08-16 00:39:27 -07:00 · 2018-08-16 00:39:27 -07:00 · b6588e85b8
commit b6588e85b8
parent edb3e6b41a
10 changed files with 143 additions and 41 deletions
--- a/charts/argo/templates/apply-workflow-crd-job.yaml
+++ b/charts/argo/templates/apply-workflow-crd-job.yaml
@ -10,9 +10,10 @@ spec:
  activeDeadlineSeconds: 100
  template:
    spec:
+      serviceAccountName: {{ .Values.init.serviceAccount | quote }}
      containers:
      - name: kubectl-apply
        image: lachlanevenson/k8s-kubectl
        command: ["/bin/sh"]
        args: ["-c", 'echo ''{{- include "workflow-crd-json" .}}'' | kubectl apply -f -']
-      restartPolicy: Never
+      restartPolicy: Never
--- a/charts/argo/templates/ui-deployment.yaml
+++ b/charts/argo/templates/ui-deployment.yaml
@ -13,10 +13,18 @@ spec:
      labels:
        app: {{ .Release.Name }}-{{ .Values.ui.name}}
        release: {{ .Release.Name }}
+      {{- if .Values.ui.podAnnotations }}
+      annotations:
+{{ toYaml .Values.ui.podAnnotations | indent 8}}{{- end }}
    spec:
+      serviceAccountName: {{ .Values.ui.serviceAccount | quote }}
      containers:
        - name: ui
          image: "{{ .Values.images.namespace }}/{{ .Values.images.ui }}:{{ .Values.images.tag }}"
          env:
          - name: IN_CLUSTER
            value: "true"
+        {{- if .Values.ui.enableWebConsole }}
+          - name: ENABLE_WEB_CONSOLE
+            value: "true"
+        {{- end }}
--- a/charts/argo/templates/ui-service.yaml
+++ b/charts/argo/templates/ui-service.yaml
@ -7,6 +7,9 @@ metadata:
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
    namspace: {{ .Release.Namespace }}
+  {{- if .Values.ui.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.ui.serviceAnnotations | indent 4}}{{- end }}
 spec:
  ports:
  - port: 80
--- a/charts/argo/templates/worfkflow-controller-secrets-access.yaml
+++ b/charts/argo/templates/worfkflow-controller-secrets-access.yaml
@ -0,0 +1,18 @@
+{{ if .Values.minio.install }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name}}-minio-secret
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Values.artifactRepository.s3.accessKeySecret.name | default (printf "%s-%s" .Release.Name "minio") | quote }}
+  - {{ .Values.artifactRepository.s3.secretKeySecret.name | default (printf "%s-%s" .Release.Name "minio") | quote }}
+  verbs:
+  - get
+  - watch
+  - list
+{{- end }}
--- a/charts/argo/templates/workflow-controller-config-map.yaml
+++ b/charts/argo/templates/workflow-controller-config-map.yaml
@ -9,10 +9,12 @@ metadata:
    namespace: {{ .Release.Namespace }}
 data:
  config: |
-    {{- if .Values.controller.useReleaseAsInstanceID }}
+    {{- if .Values.controller.instanceID.enabled }}
+    {{- if .Values.controller.instanceID.useReleaseName }}
    instanceID: {{ .Release.Name }}
    {{- else }}
-    instanceID: {{ .Values.controller.instanceID }}
+    instanceID: {{ .Values.controller.instanceID.explicitID }}
+    {{- end }}
    {{- end }}
    artifactRepository:
      {{- if or .Values.minio.install .Values.useDefaultArtifactRepo }}
@ -20,13 +22,13 @@ data:
        {{- if .Values.useStaticCredentials }}
        accessKeySecret:
          key: {{ .Values.artifactRepository.s3.accessKeySecret.key }}
-          name: {{ .Values.artifactRepository.s3.accessKeySecret.name | default (printf "%s-%s" .Release.Name "minio-user") }}
+          name: {{ .Values.artifactRepository.s3.accessKeySecret.name | default (printf "%s-%s" .Release.Name "minio") }}
        secretKeySecret:
          key: {{ .Values.artifactRepository.s3.secretKeySecret.key }}
-          name: {{ .Values.artifactRepository.s3.secretKeySecret.name | default (printf "%s-%s" .Release.Name "minio-user") }}
+          name: {{ .Values.artifactRepository.s3.secretKeySecret.name | default (printf "%s-%s" .Release.Name "minio") }}
        {{- end }}
        bucket: {{ .Values.artifactRepository.s3.bucket | default .Values.minio.defaultBucket.name }}
-        endpoint: {{ .Values.artifactRepository.s3.endpoint | default (printf "%s-%s" .Release.Name "minio-svc:9000") }}
+        endpoint: {{ .Values.artifactRepository.s3.endpoint | default (printf "%s-%s" .Release.Name "minio:9000") }}
        insecure: {{ .Values.artifactRepository.s3.insecure }}
      {{- end}}
    executorImage: "{{ .Values.images.namespace }}/{{ .Values.images.executor }}:{{ .Values.images.tag }}"
--- a/charts/argo/templates/workflow-controller-deployment.yaml
+++ b/charts/argo/templates/workflow-controller-deployment.yaml
@ -14,12 +14,22 @@ spec:
      labels:
        app: {{ .Release.Name }}-{{ .Values.controller.name}}
        release: {{ .Release.Name }}
+      {{- if .Values.controller.podAnnotations }}
+      annotations:
+{{ toYaml .Values.controller.podAnnotations | indent 8}}{{- end }}
    spec:
+      serviceAccountName: {{ .Values.controller.serviceAccount | quote }}
      containers:
        - name: controller
          image: "{{ .Values.images.namespace }}/{{ .Values.images.controller }}:{{ .Values.images.tag }}"
          command: [ "workflow-controller" ]
-          args: ["--configmap", "{{ .Release.Name }}-{{ .Values.controller.name}}-configmap"]
+          args:
+          - "--configmap"
+          - "{{ .Release.Name }}-{{ .Values.controller.name}}-configmap"
+          - "--loglevel"
+          - "{{ .Values.controller.logging.level }}"
+          - "--gloglevel"
+          - "{{ .Values.controller.logging.globallevel }}"
          env:
          - name: ARGO_NAMESPACE
            valueFrom:
--- a/charts/argo/templates/workflow-controller-minio-secret-crb.yaml
+++ b/charts/argo/templates/workflow-controller-minio-secret-crb.yaml
@ -0,0 +1,25 @@
+{{ if .Values.minio.install }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Release.Name }}-{{ .Values.controller.name}}-minio-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-{{ .Values.controller.name}}-minio-secret
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.controller.serviceAccount }}
+    namespace: {{ .Release.Namespace }}
+{{- if .Values.controller.workflowNamespaces }}
+{{- $uiServiceAccount := .Values.controller.serviceAccount }}
+{{- $namespace := .Release.Namespace }}
+{{- range $key := .Values.controller.workflowNamespaces }}
+  {{- if not (eq $key $namespace) }}
+  - kind: ServiceAccount
+    name: {{ $uiServiceAccount }}
+    namespace: {{ $key }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}