diff --git a/charts/access-manager/.helmignore b/charts/access-manager/.helmignore new file mode 100644 index 0000000..daebc7d --- /dev/null +++ b/charts/access-manager/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/access-manager/Chart.yaml b/charts/access-manager/Chart.yaml new file mode 100644 index 0000000..5b78456 --- /dev/null +++ b/charts/access-manager/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +description: Kubernetes-Operator to simplify RBAC configurations +name: access-manager +version: 0.1.0 +appVersion: 0.1.0 +home: https://github.com/ckotzbauer/access-manager +sources: + - https://github.com/ckotzbauer/access-manager + - https://github.com/ckotzbauer/helm-charts +keywords: + - kubernetes-operator + - operator + - rbac +maintainers: + - name: ckotzbauer + email: christian.kotzbauer@gmail.com diff --git a/charts/access-manager/README.md b/charts/access-manager/README.md new file mode 100644 index 0000000..fee899c --- /dev/null +++ b/charts/access-manager/README.md @@ -0,0 +1,69 @@ +# Access-Manager + +Kubernetes-Operator to simplify RBAC configurations. + +Learn more: [https://github.com/ckotzbauer/access-manager](https://github.com/ckotzbauer/access-manager) + +## TL;DR; + +```bash +$ helm install ckotzbauer/access-manager +``` + +## Prerequisites + +- Kubernetes 1.9+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +$ helm install --name my-release ckotzbauer/access-manager +``` + +The command deploys the access-manager operator on the Kubernetes cluster using the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```bash +$ helm delete my-release +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the Prometheus MSTeams chart and their default values. + +| Parameter | Description | Default | +| -------------------------------------- | ------------------------------------------------- | ----------------------------- | +| `image.repository` | container image repository | `ckotzbauer/access-manager` | +| `image.tag` | container image tag | `0.1.0` | +| `image.pullPolicy` | container image pull policy | `IfNotPresent` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `tolerations` | node tolerations for pod assignment | `[]` | +| `affinity` | node affinity for pod assignment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `resources` | pod resource requests & limits | See [values.yaml](values.yaml)| +| `securityContext` | container securityContext | See [values.yaml](values.yaml)| +| `serviceAccount.create` | Should we create a ServiceAccount | `true` | +| `serviceAccount.name` | Name of the ServiceAccount to use | null | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install --name my-release \ + --set key_1=value_1,key_2=value_2 \ + ckotzbauer/access-manager +``` + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +# example for staging +$ helm install --name my-release -f values.yaml ckotzbauer/access-manager +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) diff --git a/charts/access-manager/crds/rbacdefinitions.yaml b/charts/access-manager/crds/rbacdefinitions.yaml new file mode 100644 index 0000000..2745393 --- /dev/null +++ b/charts/access-manager/crds/rbacdefinitions.yaml @@ -0,0 +1,111 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rbacdefinitions.access-manager.io +spec: + group: access-manager.io + names: + kind: RbacDefinition + listKind: RbacDefinitionList + plural: rbacdefinitions + singular: rbacdefinition + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: RbacDefinition is the Schema for the rbacdefinitions API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RbacDefinitionSpec defines the desired state of RbacDefinition + type: object + properties: + paused: + type: boolean + namespaced: + description: Defines the desired state of RoleBindings + type: array + items: + type: object + properties: + namespace: + type: object + properties: + name: + type: string + namespaceSelector: + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + bindings: + type: array + items: + type: object + properties: + name: + type: string + roleName: + type: string + kind: + type: string + subjects: + type: array + items: + type: object + properties: + name: + type: string + kind: + type: string + namespace: + type: string + + cluster: + description: Defines the desired state of ClusterRoleBindings + type: array + items: + type: object + properties: + name: + type: string + clusterRoleName: + type: string + subjects: + type: array + items: + type: object + properties: + name: + type: string + kind: + type: string + namespace: + type: string + + status: + description: RbacDefinitionStatus defines the observed state of RbacDefinition + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/access-manager/templates/NOTES.txt b/charts/access-manager/templates/NOTES.txt new file mode 100644 index 0000000..920c959 --- /dev/null +++ b/charts/access-manager/templates/NOTES.txt @@ -0,0 +1,6 @@ +** Please be patient while the chart is being deployed ** + +To monitor the deployment, execute the following command: + + kubectl get pods -l name={{ template "app.name" . }} --namespace {{ .Release.Namespace }} -w + diff --git a/charts/access-manager/templates/_helpers.tpl b/charts/access-manager/templates/_helpers.tpl new file mode 100644 index 0000000..9e4e4f5 --- /dev/null +++ b/charts/access-manager/templates/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "app.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app.name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "app.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "app.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "app.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "app.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/access-manager/templates/clusterrolebinding.yaml b/charts/access-manager/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..42c7956 --- /dev/null +++ b/charts/access-manager/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "app.serviceAccountName" . }} + labels: + app: {{ template "app.name" . }} + chart: {{ template "app.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +subjects: +- kind: ServiceAccount + name: {{ template "app.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/charts/access-manager/templates/deployment.yaml b/charts/access-manager/templates/deployment.yaml new file mode 100644 index 0000000..228f869 --- /dev/null +++ b/charts/access-manager/templates/deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "app.name" . }} + labels: + app: {{ template "app.name" . }} + chart: {{ template "app.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ template "app.name" . }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "app.name" . }} + release: {{ .Release.Name }} + {{- if .Values.podAnnotations }} + annotations: + {{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "app.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - access-manager + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "access-manager" + securityContext: +{{ toYaml .Values.securityContext | indent 12 }} + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} diff --git a/charts/access-manager/templates/serviceaccount.yaml b/charts/access-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..d62f06a --- /dev/null +++ b/charts/access-manager/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{ if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "app.name" . }} + chart: {{ template "app.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: {{ template "app.serviceAccountName" . }} +{{- end -}} diff --git a/charts/access-manager/values.yaml b/charts/access-manager/values.yaml new file mode 100644 index 0000000..b3f8882 --- /dev/null +++ b/charts/access-manager/values.yaml @@ -0,0 +1,37 @@ +# Default values for access-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + repository: ckotzbauer/access-manager + tag: 0.1.0 + pullPolicy: IfNotPresent + +podAnnotations: {} + +resources: + requests: + cpu: 10m + memory: 128Mi + limits: + cpu: 50m + memory: 128Mi + +securityContext: + privileged: false + runAsUser: 1001 + runAsNonRoot: false + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + +nodeSelector: {} + +tolerations: [] + +affinity: {}