karmada-io
/
karmada
mirror of https://github.com/karmada-io/karmada.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
karmada/charts/templates/pre-install-job.yaml

259 lines
9.9 KiB
YAML
Raw Blame History

{{- if and (eq .Values.installMode "host") (eq .Values.certs.mode "auto") }}
{{- $name := include "karmada.name" . -}}
{{- $namespace := include "karmada.namespace" . -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $name }}-config
namespace: {{ $namespace }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "2"
data:
cert.yaml: |-
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}-cert
namespace: {{ $namespace }}
type: Opaque
data:
server-ca.crt: |-
{{ print "{{ ca_crt }}" }}
karmada.crt: |-
{{ print "{{ crt }}" }}
karmada.key: |-
{{ print "{{ key }}" }}
front-proxy-ca.crt: |-
{{ print "{{ front_proxy_ca_crt }}" }}
front-proxy-client.crt: |-
{{ print "{{ front_proxy_crt }}" }}
front-proxy-client.key: |-
{{ print "{{ front_proxy_key }}" }}
webhook-cert.yaml: |-
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}-webhook-cert
namespace: {{ $namespace }}
type: kubernetes.io/tls
data:
tls.crt: |-
{{ print "{{ crt }}" }}
tls.key: |-
{{ print "{{ key }}" }}
kubeconfig.yaml: |-
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}-kubeconfig
namespace: {{ $namespace }}
stringData:
kubeconfig: |-
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: {{ print "{{ ca_crt }}" }}
insecure-skip-tls-verify: false
server: https://{{ $name }}-apiserver.{{ $namespace }}.svc.{{ .Values.clusterDomain }}:5443
name: {{ $name }}-apiserver
users:
- user:
client-certificate-data: {{ print "{{ crt }}" }}
client-key-data: {{ print "{{ key }}" }}
name: {{ $name }}-apiserver
contexts:
- context:
cluster: {{ $name }}-apiserver
user: {{ $name }}-apiserver
name: {{ $name }}-apiserver
current-context: {{ $name }}-apiserver
static-resources-configmaps.yaml: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $name }}-static-resources
namespace: {{ $namespace }}
data:
{{- print "webhook-configuration.yaml: " | nindent 6 }} |-
{{- include "karmada.webhook.configuration" . | nindent 8 }}
{{- print "system-namespace.yaml: " | nindent 6 }} |-
{{- include "karmada.systemNamespace" . | nindent 8 }}
{{- print "karmada-aggregated-apiserver-apiservice.yaml: " | nindent 6 }} |-
{{- include "karmada.apiservice" . | nindent 8 }}
{{- print "cluster-proxy-admin-rbac.yaml: " | nindent 6 }} |-
{{- include "karmada.proxyRbac" . | nindent 8 }}
crds-configmaps.yaml: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $name }}-crds
namespace: {{ $namespace }}
data:
{{ range $path, $bytes := .Files.Glob (printf "_crds/**")}}
{{ $name := base $path }}
{{- (printf "%s: " $name) | nindent 6 }} |-
{{- $.Files.Get $path | nindent 8 }}
{{ end }}
crds-bases-configmaps.yaml: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $name }}-crds-bases
namespace: {{ $namespace }}
data:
{{ range $path, $bytes := .Files.Glob (printf "_crds/bases/**")}}
{{ $name := base $path }}
{{- (printf "%s: " $name) | nindent 6 }} |-
{{- $.Files.Get $path | nindent 8 }}
{{ end }}
crds-patches-configmaps.yaml: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $name }}-crds-patches
namespace: {{ $namespace }}
data:
{{- print "webhook_in_clusterresourcebindings.yaml: " | nindent 6 }} |-
{{- include "karmada.crd.patch.webhook.clusterresourcebinding" . | nindent 8 }}
{{- print "webhook_in_resourcebindings.yaml: " | nindent 6 }} |-
{{- include "karmada.crd.patch.webhook.resourcebinding" . | nindent 8 }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: "{{ $name }}-pre-install"
namespace: {{ $namespace }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
parallelism: 1
completions: 1
template:
metadata:
name: {{ $name }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ $name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
serviceAccountName: {{ $name }}-pre-job
restartPolicy: Never
initContainers:
- name: init
image: {{ .Values.preInstallJob.initContainerImage }}
imagePullPolicy: IfNotPresent
workingDir: /opt/mount
command:
- /bin/sh
- -c
- |
bash <<'EOF'
set -ex
mkdir -p /opt/configs
mkdir -p /opt/certs
cp -r -L /opt/mount/* /opt/configs/
openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/server-ca.key" -out "/opt/certs/server-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
openssl req -x509 -sha256 -new -nodes -days 365 -newkey rsa:2048 -keyout "/opt/certs/front-proxy-ca.key" -out "/opt/certs/front-proxy-ca.crt" -subj "/C=xx/ST=x/L=x/O=x/OU=x/CN=ca/emailAddress=x/"
echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/server-ca-config.json"
echo '{"CN":"system:admin","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/server-ca.crt -ca-key=/opt/certs/server-ca.key -config=/opt/certs/server-ca-config.json - | cfssljson -bare /opt/certs/karmada
echo '{"signing":{"default":{"expiry":{{ printf `"%s"` .Values.certs.auto.expiry }},"usages":["signing","key encipherment","client auth","server auth"]}}}' > "/opt/certs/front-proxy-ca-config.json"
echo '{"CN":"front-proxy-client","hosts":{{ tpl (toJson .Values.certs.auto.hosts) . }},"names":[{"O":"system:masters"}],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=/opt/certs/front-proxy-ca.crt -ca-key=/opt/certs/front-proxy-ca.key -config=/opt/certs/front-proxy-ca-config.json - | cfssljson -bare /opt/certs/front-proxy-client
karmada_ca=$(base64 /opt/certs/server-ca.crt | tr -d '\r\n')
karmada_crt=$(base64 /opt/certs/karmada.pem | tr -d '\r\n')
karmada_key=$(base64 /opt/certs/karmada-key.pem | tr -d '\r\n')
front_proxy_ca=$(base64 /opt/certs/front-proxy-ca.crt | tr -d '\r\n')
front_proxy_client_crt=$(base64 /opt/certs/front-proxy-client.pem | tr -d '\r\n')
front_proxy_client_key=$(base64 /opt/certs/front-proxy-client-key.pem | tr -d '\r\n')
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/cert.yaml
sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/cert.yaml
sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/cert.yaml
sed -i'' -e "s/{{ print "{{ front_proxy_ca_crt }}" }}/${front_proxy_ca}/g" /opt/configs/cert.yaml
sed -i'' -e "s/{{ print "{{ front_proxy_crt }}" }}/${front_proxy_client_crt}/g" /opt/configs/cert.yaml
sed -i'' -e "s/{{ print "{{ front_proxy_key }}" }}/${front_proxy_client_key}/g" /opt/configs/cert.yaml
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/kubeconfig.yaml
sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/kubeconfig.yaml
sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/kubeconfig.yaml
sed -i'' -e "s/{{ print "{{ crt }}" }}/${karmada_crt}/g" /opt/configs/webhook-cert.yaml
sed -i'' -e "s/{{ print "{{ key }}" }}/${karmada_key}/g" /opt/configs/webhook-cert.yaml
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/static-resources-configmaps.yaml
sed -i'' -e "s/{{ print "{{ ca_crt }}" }}/${karmada_ca}/g" /opt/configs/crds-patches-configmaps.yaml
EOF
volumeMounts:
- name: mount
mountPath: /opt/mount
- name: configs
mountPath: /opt/configs
containers:
- name: pre-install
image: {{ .Values.preInstallJob.preInstallContainerImage }}
imagePullPolicy: IfNotPresent
workingDir: /opt/mount
command:
- /bin/sh
- -c
- |
bash <<'EOF'
set -ex
kubectl apply --server-side -f /opt/configs/
EOF
volumeMounts:
- name: mount
mountPath: /opt/mount
- name: configs
mountPath: /opt/configs
volumes:
- name: mount
configMap:
name: {{ $name }}-config
- name: configs
emptyDir: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}-pre-job
namespace: {{ $namespace }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ $name }}-pre-job
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "1"
rules:
- apiGroups: ['*']
resources: ['*']
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
- nonResourceURLs: ['*']
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $name }}-pre-job
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "1"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $name }}-pre-job
subjects:
- kind: ServiceAccount
name: {{ $name }}-pre-job
namespace: {{ $namespace }}
---
{{- end }}
Reference in New Issue View Git Blame Copy Permalink