first commit
This commit is contained in:
40
templates/fusion-operator/jobs/calico.netpol.yaml
Normal file
40
templates/fusion-operator/jobs/calico.netpol.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
|
||||
{{- if .Values.fusionOperator.calicoNetpol.enabled }}
|
||||
apiVersion: projectcalico.org/v3
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: crd-netpol
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
|
||||
"helm.sh/hook-weight": "-5"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
spec:
|
||||
order: 10
|
||||
selector: dplane == 'crd-job'
|
||||
types:
|
||||
- Ingress
|
||||
- Egress
|
||||
egress:
|
||||
# allow to communicate to DNS pods
|
||||
- action: Allow
|
||||
protocol: UDP
|
||||
destination:
|
||||
namespaceSelector: projectcalico.org/name == 'kube-system'
|
||||
ports:
|
||||
- 53
|
||||
- action: Allow
|
||||
protocol: TCP
|
||||
destination:
|
||||
namespaceSelector: projectcalico.org/name == 'kube-system'
|
||||
ports:
|
||||
- 53
|
||||
# allow to communicate with k8s api server
|
||||
- action: Allow
|
||||
destination:
|
||||
services:
|
||||
name: kubernetes
|
||||
namespace: default
|
||||
protocol: TCP
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
21
templates/fusion-operator/jobs/clusterrole.yaml
Normal file
21
templates/fusion-operator/jobs/clusterrole.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "fusionOperator.name" . }}-role
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
|
||||
"helm.sh/hook-weight": "-1"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
rules:
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources:
|
||||
- customresourcedefinitions
|
||||
verbs:
|
||||
- delete
|
||||
- create
|
||||
- update
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
{{- end }}
|
||||
18
templates/fusion-operator/jobs/clusterrolebinding.yaml
Normal file
18
templates/fusion-operator/jobs/clusterrolebinding.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: {{ template "fusionOperator.name" . }}-role-binding
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
|
||||
"helm.sh/hook-weight": "-1"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "fusionOperator.name" . }}-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ .Values.fusionOperator.job.serviceAccount.enabled | ternary .Values.fusionOperator.job.serviceAccount.name "default" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
38
templates/fusion-operator/jobs/crd_remove.yaml
Normal file
38
templates/fusion-operator/jobs/crd_remove.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: remove-crd
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
dplane: "crd-job"
|
||||
spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.fusionOperator.job.removeJob_ttl }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
dplane: "crd-job"
|
||||
spec:
|
||||
{{- with .Values.global.image.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
|
||||
serviceAccountName: {{ include "fusionOperator.job.serviceAccountName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
|
||||
securityContext: {{- toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: delete-crd
|
||||
securityContext: {{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
|
||||
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
kubectl delete crd orchestrators.operator.fusion.axway.com --ignore-not-found=true
|
||||
{{- end }}
|
||||
40
templates/fusion-operator/jobs/crd_update.yaml
Normal file
40
templates/fusion-operator/jobs/crd_update.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: apply-crd
|
||||
annotations:
|
||||
"helm.sh/hook": pre-install,pre-upgrade
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
labels:
|
||||
dplane: "crd-job"
|
||||
spec:
|
||||
ttlSecondsAfterFinished: {{ .Values.fusionOperator.job.updateJob_ttl }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
dplane: "crd-job"
|
||||
spec:
|
||||
{{- with .Values.global.image.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.fusionOperator.job.serviceAccount.enabled }}
|
||||
serviceAccountName: {{ include "fusionOperator.job.serviceAccountName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.fusionOperator.podSecurityContextEnabled }}
|
||||
securityContext: {{- toYaml .Values.fusionOperator.podSecurityContext | nindent 8 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: apply-crd
|
||||
securityContext: {{- toYaml .Values.fusionOperator.securityContext | nindent 12 }}
|
||||
image: "{{ default .Values.global.image.repository .Values.global.alpinetools.image.repository }}/{{ .Values.global.alpinetools.image.name }}:{{ .Values.global.alpinetools.image.tag }}"
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
cat <<EOF | kubectl apply -f -
|
||||
{{ .Files.Get "crd/orchestrator.yaml" | nindent 14 }}
|
||||
EOF
|
||||
{{- end }}
|
||||
18
templates/fusion-operator/jobs/serviceaccount.yaml
Normal file
18
templates/fusion-operator/jobs/serviceaccount.yaml
Normal file
@@ -0,0 +1,18 @@
|
||||
{{- if and .Values.fusionOperator.enabled (eq (include "parent.dataplaneMode" . ) "shared") }}
|
||||
{{- if ( and .Values.fusionOperator.job.serviceAccount.enabled ( not .Values.fusionOperator.job.serviceAccount.preexisting ) ) -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "fusionOperator.job.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "fusionOperator.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- with .Values.fusionOperator.job.serviceAccount.annotations }}
|
||||
{{- toYaml . }}
|
||||
{{- end }}
|
||||
"helm.sh/hook": pre-install,pre-upgrade,pre-delete
|
||||
"helm.sh/hook-weight": "-1"
|
||||
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
|
||||
automountServiceAccountToken: {{ .Values.fusionOperator.job.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
Reference in New Issue
Block a user