257 lines
9.7 KiB
YAML
257 lines
9.7 KiB
YAML
{{- if and (eq .Values.installMode "host") (eq .Values.certs.mode "auto") }}
|
|
{{- $name := include "karmada.name" . -}}
|
|
{{- $namespace := include "karmada.namespace" . -}}
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ $name }}-config
|
|
namespace: {{ $namespace }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-weight": "2"
|
|
data:
|
|
cert.yaml: |-
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ $name }}-cert
|
|
namespace: {{ $namespace }}
|
|
type: Opaque
|
|
data:
|
|
server-ca.crt: |-
|
|
{{ print "{{ ca_crt }}" }}
|
|
karmada.crt: |-
|
|
{{ print "{{ crt }}" }}
|
|
karmada.key: |-
|
|
{{ print "{{ key }}" }}
|
|
front-proxy-ca.crt: |-
|
|
{{ print "{{ front_proxy_ca_crt }}" }}
|
|
front-proxy-client.crt: |-
|
|
{{ print "{{ front_proxy_crt }}" }}
|
|
front-proxy-client.key: |-
|
|
{{ print "{{ front_proxy_key }}" }}
|
|
webhook-cert.yaml: |-
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ $name }}-webhook-cert
|
|
namespace: {{ $namespace }}
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: |-
|
|
{{ print "{{ crt }}" }}
|
|
tls.key: |-
|
|
{{ print "{{ key }}" }}
|
|
kubeconfig.yaml: |-
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ $name }}-kubeconfig
|
|
namespace: {{ $namespace }}
|
|
stringData:
|
|
kubeconfig: |-
|
|
apiVersion: v1
|
|
kind: Config
|
|
clusters:
|
|
- cluster:
|
|
certificate-authority-data: {{ print "{{ ca_crt }}" }}
|
|
insecure-skip-tls-verify: false
|
|
server: https://{{ $name }}-apiserver.{{ $namespace }}.svc.{{ .Values.clusterDomain }}:5443
|
|
name: {{ $name }}-apiserver
|
|
users:
|
|
- user:
|
|
client-certificate-data: {{ print "{{ crt }}" }}
|
|
client-key-data: {{ print "{{ key }}" }}
|
|
name: {{ $name }}-apiserver
|
|
contexts:
|
|
- context:
|
|
cluster: {{ $name }}-apiserver
|
|
user: {{ $name }}-apiserver
|
|
name: {{ $name }}-apiserver
|
|
current-context: {{ $name }}-apiserver
|
|
static-resources-configmaps.yaml: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ $name }}-static-resources
|
|
namespace: {{ $namespace }}
|
|
data:
|
|
{{- print "webhook-configuration.yaml: " | nindent 6 }} |-
|
|
{{- include "karmada.webhook.configuration" . | nindent 8 }}
|
|
{{- print "system-namespace.yaml: " | nindent 6 }} |-
|
|
{{- include "karmada.systemNamespace" . | nindent 8 }}
|
|
{{- print "apiservice.yaml: " | nindent 6 }} |-
|
|
{{- include "karmada.apiservice" . | nindent 8 }}
|
|
crds-configmaps.yaml: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ $name }}-crds
|
|
namespace: {{ $namespace }}
|
|
data:
|
|
{{ range $path, $bytes := .Files.Glob (printf "_crds/**")}}
|
|
{{ $name := base $path }}
|
|
{{- (printf "%s: " $name) | nindent 6 }} |-
|
|
{{- $.Files.Get $path | nindent 8 }}
|
|
{{ end }}
|
|
crds-bases-configmaps.yaml: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ $name }}-crds-bases
|
|
namespace: {{ $namespace }}
|
|
data:
|
|
{{ range $path, $bytes := .Files.Glob (printf "_crds/bases/**")}}
|
|
{{ $name := base $path }}
|
|
{{- (printf "%s: " $name) | nindent 6 }} |-
|
|
{{- $.Files.Get $path | nindent 8 }}
|
|
{{ end }}
|
|
crds-patches-configmaps.yaml: |-
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: {{ $name }}-crds-patches
|
|
namespace: {{ $namespace }}
|
|
data:
|
|
{{- print "webhook_in_clusterresourcebindings.yaml: " | nindent 6 }} |-
|
|
{{- include "karmada.crd.patch.webhook.clusterresourcebinding" . | nindent 8 }}
|
|
{{- print "webhook_in_resourcebindings.yaml: " | nindent 6 }} |-
|
|
{{- include "karmada.crd.patch.webhook.resourcebinding" . | nindent 8 }}
|
|
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: "{{ $name }}-pre-install"
|
|
namespace: {{ $namespace }}
|
|
annotations:
|
|
# This is what defines this resource as a hook. Without this line, the
|
|
# job is considered part of the release.
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-weight": "3"
|
|
"helm.sh/hook-delete-policy": hook-succeeded
|
|
spec:
|
|
parallelism: 1
|
|
completions: 1
|
|
template:
|
|
metadata:
|
|
name: {{ $name }}
|
|
labels:
|
|
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
|
|
app.kubernetes.io/instance: {{ $name | quote }}
|
|
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
|
|
spec:
|
|
serviceAccountName: {{ $name }}-pre-job
|
|
restartPolicy: Never
|
|
initContainers:
|
|
- name: init
|
|
image: {{ .Values.preInstallJob.initContainerImage }}
|
|
imagePullPolicy: IfNotPresent
|
|
workingDir: /opt/mount
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
bash <<'EOF'
|
|
set -ex
|
|
mkdir -p /opt/configs
|
|
mkdir -p /opt/certs
|
|
cp -r -L /opt/mount/* /opt/configs/
|
|
openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
|
|
openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/front-proxy-ca.key" -out "/opt/certs/front-proxy-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
|
|
echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/server-ca-config.json"
|
|
echo '{"CN":"system:admin","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada
|
|
echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/front-proxy-ca-config.json"
|
|
echo '{"CN":"front-proxy-client","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/front-proxy-ca.crt -ca-key=/opt/certs/front-proxy-ca.key -config=/opt/certs/front-proxy-ca-config.json - | cfssljson -bare /opt/certs/front-proxy-client
|
|
karmada_ca=$(base64 /opt/certs/server-ca.crt | tr -d '\r\n')
|
|
karmada_crt=$(base64 /opt/certs/karmada.pem | tr -d '\r\n')
|
|
karmada_key=$(base64 /opt/certs/karmada-key.pem | tr -d '\r\n')
|
|
front_proxy_ca=$(base64 /opt/certs/front-proxy-ca.crt | tr -d '\r\n')
|
|
front_proxy_client_crt=$(base64 /opt/certs/front-proxy-client.pem | tr -d '\r\n')
|
|
front_proxy_client_key=$(base64 /opt/certs/front-proxy-client-key.pem | tr -d '\r\n')
|
|
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ front_proxy_ca_crt }}" }}/${front_proxy_ca}/g" /opt/configs/cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ front_proxy_crt }}" }}/${front_proxy_client_crt}/g" /opt/configs/cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ front_proxy_key }}" }}/${front_proxy_client_key}/g" /opt/configs/cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/kubeconfig.yaml
|
|
sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/kubeconfig.yaml
|
|
sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/kubeconfig.yaml
|
|
sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/webhook-cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/webhook-cert.yaml
|
|
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/static-resources-configmaps.yaml
|
|
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/crds-patches-configmaps.yaml
|
|
EOF
|
|
volumeMounts:
|
|
- name: mount
|
|
mountPath: /opt/mount
|
|
- name: configs
|
|
mountPath: /opt/configs
|
|
containers:
|
|
- name: pre-install
|
|
image: {{ .Values.preInstallJob.preInstallContainerImage }}
|
|
imagePullPolicy: IfNotPresent
|
|
workingDir: /opt/mount
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
bash <<'EOF'
|
|
set -ex
|
|
kubectl apply -f /opt/configs/
|
|
EOF
|
|
volumeMounts:
|
|
- name: mount
|
|
mountPath: /opt/mount
|
|
- name: configs
|
|
mountPath: /opt/configs
|
|
volumes:
|
|
- name: mount
|
|
configMap:
|
|
name: {{ $name }}-config
|
|
- name: configs
|
|
emptyDir: {}
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ $name }}-pre-job
|
|
namespace: {{ $namespace }}
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-weight": "1"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ $name }}-pre-job
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-weight": "1"
|
|
rules:
|
|
- apiGroups: ['*']
|
|
resources: ['*']
|
|
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
|
|
- nonResourceURLs: ['*']
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: {{ $name }}-pre-job
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-weight": "1"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: {{ $name }}-pre-job
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $name }}-pre-job
|
|
namespace: {{ $namespace }}
|
|
---
|
|
{{- end }}
|