Add RBAC and secret/env injection to helm chart

jsotelo · Aug 6, 2020 · aaabe41 · aaabe41
1 parent abd63fb
commit aaabe41
Show file tree

Hide file tree

Showing 10 changed files with 186 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -29,6 +29,9 @@ venv.bak/
 dmypy.json
 MANIFEST
 
+# IDEs
+.vscode/
+
 # Added by mp-maker
 **/build
 /config

diff --git a/contrib/kubernetes/datahub/charts/datahub-gms/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-gms/templates/deployment.yaml
@@ -101,6 +101,19 @@ spec:
                 secretKeyRef:
                   name: {{ include "datahub-gms.fullname" . }}-secret
                   key: neo4j.password
+          {{- if or $.Values.env $.Values.envSecrets }}
+            {{- range $key, $value := $.Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $secret := $.Values.envSecrets }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret }}
+                  key: {{ $key | quote }}
+            {{- end }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/contrib/kubernetes/datahub/charts/datahub-gms/values.yaml b/contrib/kubernetes/datahub/charts/datahub-gms/values.yaml
@@ -13,6 +13,17 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: "datahub-gms-deployment"
 
+# # Environment variables to set as part of the deployment
+# env:
+#   # Example
+#   SPRING_KAFKA_PROPERTIES_SECURITY_PROTOCOL: SASL_PLAINTEXT
+
+# # K8s secrets that should be deployed as environment variables
+# envSecrets:
+#   # In the example below the env variable will be set to the value in the
+#   # secret 'neo4j-Credentials' that shares the same key
+#   NEO4J_PASSWORD: neo4j-credentials
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true

diff --git a/contrib/kubernetes/datahub/charts/datahub-mae-consumer/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-mae-consumer/templates/deployment.yaml
@@ -72,6 +72,19 @@ spec:
                 secretKeyRef:
                   name: datahub-gms-deployment-secret
                   key: neo4j.password
+          {{- if or $.Values.env $.Values.envSecrets }}
+            {{- range $key, $value := $.Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $secret := $.Values.envSecrets }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret }}
+                  key: {{ $key | quote }}
+            {{- end }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/contrib/kubernetes/datahub/charts/datahub-mae-consumer/values.yaml b/contrib/kubernetes/datahub/charts/datahub-mae-consumer/values.yaml
@@ -13,6 +13,16 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: "datahub-mae-consumer"
 
+# # Environment variables to set as part of the deployment
+# env:
+#   # Example
+#   SPRING_KAFKA_PROPERTIES_SECURITY_PROTOCOL: SASL_PLAINTEXT
+
+# # K8s secrets that should be deployed as environment variables
+# envSecrets:
+#   # In the example below the env variable will be set to the value in the
+#   # secret 'neo4j-Credentials' that shares the same key
+#   NEO4J_PASSWORD: neo4j-credentials
 serviceAccount:
   # Specifies whether a service account should be created
   create: true

diff --git a/contrib/kubernetes/datahub/charts/datahub-mce-consumer/templates/deployment.yaml b/contrib/kubernetes/datahub/charts/datahub-mce-consumer/templates/deployment.yaml
@@ -46,6 +46,19 @@ spec:
               value: "{{ .Values.global.datahub.gms.host }}"
             - name: GMS_PORT
               value: "{{ .Values.global.datahub.gms.port }}"
+          {{- if or $.Values.env $.Values.envSecrets }}
+            {{- range $key, $value := $.Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+            {{- range $key, $secret := $.Values.envSecrets }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret }}
+                  key: {{ $key | quote }}
+            {{- end }}
+          {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/contrib/kubernetes/datahub/charts/datahub-mce-consumer/values.yaml b/contrib/kubernetes/datahub/charts/datahub-mce-consumer/values.yaml
@@ -11,7 +11,18 @@ image:
 
 imagePullSecrets: []
 nameOverride: ""
-fullnameOverride: ""
+fullnameOverride: "datahub-mce-consumer"
+
+# # Environment variables to set as part of the deployment
+# env:
+#   # Example
+#   SPRING_KAFKA_PROPERTIES_SECURITY_PROTOCOL: SASL_PLAINTEXT
+
+# # K8s secrets that should be deployed as environment variables
+# envSecrets:
+#   # In the example below the env variable will be set to the value in the
+#   # secret 'neo4j-Credentials' that shares the same key
+#   NEO4J_PASSWORD: neo4j-credentials
 
 serviceAccount:
   # Specifies whether a service account should be created

diff --git a/contrib/kubernetes/datahub/templates/_helpers.tpl b/contrib/kubernetes/datahub/templates/_helpers.tpl
@@ -61,3 +61,22 @@ Create the name of the service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+NOTE: This utility template is needed until https://git.io/JvuGN is resolved.
+
+Call a template from the context of a subchart.
+
+Usage:
+  {{ include "call-nested" (list . "<subchart_name>" "<subchart_template_name>") }}
+*/}}
+{{- define "call-nested" }}
+{{- $dot := index . 0 }}
+{{- $subchart := index . 1 | splitList "." }}
+{{- $template := index . 2 }}
+{{- $values := $dot.Values }}
+{{- range $subchart }}
+{{- $values = index $values . }}
+{{- end }}
+{{- include $template (dict "Chart" (dict "Name" (last $subchart)) "Values" $values "Release" $dot.Release "Capabilities" $dot.Capabilities) }}
+{{- end }}
diff --git a/contrib/kubernetes/datahub/templates/rbac.yaml b/contrib/kubernetes/datahub/templates/rbac.yaml
@@ -0,0 +1,80 @@
+{{- if .Values.rbac.create -}}
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "datahub.fullname" . }}
+  labels:
+    {{- include "datahub.labels" . | nindent 4 }}
+spec:
+  readOnlyRootFilesystem: false
+  privileged: false
+  allowPrivilegeEscalation: false
+  runAsUser:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  seLinux:
+    rule: 'RunAsAny'
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - persistentVolumeClaim
+    - secret
+    - projected
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: datahub
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - pods/log
+    verbs:
+      - get
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ include "datahub.fullname" . }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "datahub.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "datahub.fullname" . }}
+subjects:
+{{- /* Create a unique list (set) of all the subchart serviceAccountNames */ -}}
+{{- $serviceAccounts := list (include "datahub.serviceAccountName" .) (include "call-nested" (list . "datahub-frontend" "datahub-frontend.serviceAccountName")) (include "call-nested" (list . "datahub-gms" "datahub-gms.serviceAccountName")) (include "call-nested" (list . "datahub-mae-consumer" "datahub-mae-consumer.serviceAccountName")) (include "call-nested" (list . "datahub-mce-consumer" "datahub-mce-consumer.serviceAccountName")) | uniq -}}
+{{- $namespace := .Release.Namespace -}}
+{{- range $i, $accountName := $serviceAccounts }}
+  - kind: ServiceAccount
+    namespace: {{ $namespace }}
+    name: {{ $accountName }}
+{{- end }}
+{{- end }}
diff --git a/contrib/kubernetes/datahub/values.yaml b/contrib/kubernetes/datahub/values.yaml
@@ -63,4 +63,15 @@ global:
         - "broker"
         - "mysql"
         - "elasticsearch"
-        - "neo4j"
+        - "neo4j"
+
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: