Fixed issue with invite user modal for users which were once deactivated (#4185)
* Fixed issue with invite user Signed-off-by: Saranya-jena <saranya.jena@harness.io> * fixed imports Signed-off-by: Saranya-jena <saranya.jena@harness.io> * fixed issue with namespaced scope experiments,removed ununsed envs Signed-off-by: Saranya-jena <saranya.jena@harness.io> * Removed envs and print statements Signed-off-by: Saranya-jena <saranya.jena@harness.io> * Added 3.0.0 manifests Signed-off-by: Saranya-jena <saranya.jena@harness.io> * updated readme Signed-off-by: Saranya-jena <saranya.jena@harness.io> --------- Signed-off-by: Saranya-jena <saranya.jena@harness.io>
This commit is contained in:
Saranya Jena
GitHub
parent
bd59209c1f
commit
6141ddd9cd
|
|
@ -24,7 +24,7 @@ metrics:
|
|||
enabled: false
|
||||
prometheusRule:
|
||||
enabled: false
|
||||
|
||||
|
||||
# bitnami/mongodb is not yet supported on ARM.
|
||||
# Using unofficial tools to build bitnami/mongodb (arm64 support)
|
||||
# more info: https://github.com/ZCube/bitnami-compat
|
||||
|
|
@ -43,5 +43,5 @@ helm install my-release bitnami/mongodb --values mongo-values.yml -n <NAMESPACE>
|
|||
Applying the manifest file will install all the required service account configuration and ChaosCenter.
|
||||
|
||||
```shell
|
||||
kubectl apply -f https://litmuschaos.github.io/litmus/3.0.0-beta10/litmus-3.0.0-beta10.yaml
|
||||
kubectl apply -f https://litmuschaos.github.io/litmus/3.0.0-beta13/litmus-3.0.0.yaml
|
||||
```
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ type Repository interface {
|
|||
UpdateInvite(projectID string, userID string, invitation entities.Invitation, role *entities.MemberRole) error
|
||||
UpdateProjectName(projectID string, projectName string) error
|
||||
GetAggregateProjects(pipeline mongo.Pipeline, opts *options.AggregateOptions) (*mongo.Cursor, error)
|
||||
UpdateProjectState(userID string, deactivateTime int64, isDeactivate bool) error
|
||||
UpdateProjectState(ctx context.Context, userID string, deactivateTime int64, isDeactivate bool) error
|
||||
GetOwnerProjects(ctx context.Context, userID string) ([]*entities.Project, error)
|
||||
GetProjectRole(projectID string, userID string) (*entities.MemberRole, error)
|
||||
GetProjectMembers(projectID string, state string) ([]*entities.Member, error)
|
||||
|
|
@ -288,7 +288,7 @@ func (r repository) GetAggregateProjects(pipeline mongo.Pipeline, opts *options.
|
|||
}
|
||||
|
||||
// UpdateProjectState updates the deactivated_at state of the member and removed_at field of the project
|
||||
func (r repository) UpdateProjectState(userID string, deactivateTime int64, isDeactivate bool) error {
|
||||
func (r repository) UpdateProjectState(ctx context.Context, userID string, deactivateTime int64, isDeactivate bool) error {
|
||||
opts := options.Update().SetArrayFilters(options.ArrayFilters{
|
||||
Filters: []interface{}{
|
||||
bson.D{{"elem.user_id", userID}},
|
||||
|
|
@ -302,7 +302,7 @@ func (r repository) UpdateProjectState(userID string, deactivateTime int64, isDe
|
|||
}},
|
||||
}
|
||||
|
||||
_, err := r.Collection.UpdateMany(context.Background(), filter, update, opts)
|
||||
_, err := r.Collection.UpdateMany(ctx, filter, update, opts)
|
||||
if err != nil {
|
||||
//log.Print("Error updating user's state in projects : ", err)
|
||||
return err
|
||||
|
|
@ -324,7 +324,7 @@ func (r repository) UpdateProjectState(userID string, deactivateTime int64, isDe
|
|||
}},
|
||||
}
|
||||
|
||||
_, err = r.Collection.UpdateMany(context.Background(), filter, update)
|
||||
_, err = r.Collection.UpdateMany(ctx, filter, update)
|
||||
if err != nil {
|
||||
//log.Print("Error updating user's state in projects : ", err)
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ type projectService interface {
|
|||
UpdateInvite(projectID string, userID string, invitation entities.Invitation, role *entities.MemberRole) error
|
||||
UpdateProjectName(projectID string, projectName string) error
|
||||
GetAggregateProjects(pipeline mongo.Pipeline, opts *options.AggregateOptions) (*mongo.Cursor, error)
|
||||
UpdateProjectState(userID string, deactivateTime int64, isDeactivate bool) error
|
||||
UpdateProjectState(ctx context.Context, userID string, deactivateTime int64, isDeactivate bool) error
|
||||
GetOwnerProjectIDs(ctx context.Context, userID string) ([]*entities.Project, error)
|
||||
GetProjectRole(projectID string, userID string) (*entities.MemberRole, error)
|
||||
GetProjectMembers(projectID string, state string) ([]*entities.Member, error)
|
||||
|
|
@ -68,8 +68,8 @@ func (a applicationService) GetAggregateProjects(pipeline mongo.Pipeline, opts *
|
|||
return a.projectRepository.GetAggregateProjects(pipeline, opts)
|
||||
}
|
||||
|
||||
func (a applicationService) UpdateProjectState(userID string, deactivateTime int64, isDeactivate bool) error {
|
||||
return a.projectRepository.UpdateProjectState(userID, deactivateTime, isDeactivate)
|
||||
func (a applicationService) UpdateProjectState(ctx context.Context, userID string, deactivateTime int64, isDeactivate bool) error {
|
||||
return a.projectRepository.UpdateProjectState(ctx, userID, deactivateTime, isDeactivate)
|
||||
}
|
||||
func (a applicationService) GetOwnerProjectIDs(ctx context.Context, userID string) ([]*entities.Project, error) {
|
||||
return a.projectRepository.GetOwnerProjects(ctx, userID)
|
||||
|
|
|
|||
|
|
@ -48,13 +48,13 @@ func (a applicationService) UpdateStateTransaction(userRequest entities.UpdateUs
|
|||
}
|
||||
|
||||
// Updating details in user collection
|
||||
err = a.UpdateUserState(userRequest.Username, *userRequest.IsDeactivate, deactivateTime)
|
||||
err = a.UpdateUserState(sc, userRequest.Username, *userRequest.IsDeactivate, deactivateTime)
|
||||
if err != nil {
|
||||
log.Info(err)
|
||||
return utils.ErrServerError
|
||||
}
|
||||
// Updating details in project collection
|
||||
err = a.UpdateProjectState(user.ID, deactivateTime, *userRequest.IsDeactivate)
|
||||
err = a.UpdateProjectState(sc, user.ID, deactivateTime, *userRequest.IsDeactivate)
|
||||
if err != nil {
|
||||
log.Info(err)
|
||||
return utils.ErrServerError
|
||||
|
|
|
|||
|
|
@ -1,6 +1,8 @@
|
|||
package services
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/entities"
|
||||
)
|
||||
|
||||
|
|
@ -16,7 +18,7 @@ type userService interface {
|
|||
CreateUser(user *entities.User) (*entities.User, error)
|
||||
UpdateUser(user *entities.UserDetails) error
|
||||
IsAdministrator(user *entities.User) error
|
||||
UpdateUserState(username string, isDeactivate bool, deactivateTime int64) error
|
||||
UpdateUserState(ctx context.Context, username string, isDeactivate bool, deactivateTime int64) error
|
||||
InviteUsers(invitedUsers []string) (*[]entities.User, error)
|
||||
}
|
||||
|
||||
|
|
@ -71,8 +73,8 @@ func (a applicationService) IsAdministrator(user *entities.User) error {
|
|||
}
|
||||
|
||||
// UpdateUserState updates deactivated_at state of the user
|
||||
func (a applicationService) UpdateUserState(username string, isDeactivate bool, deactivateTime int64) error {
|
||||
return a.userRepository.UpdateUserState(username, isDeactivate, deactivateTime)
|
||||
func (a applicationService) UpdateUserState(ctx context.Context, username string, isDeactivate bool, deactivateTime int64) error {
|
||||
return a.userRepository.UpdateUserState(ctx, username, isDeactivate, deactivateTime)
|
||||
}
|
||||
|
||||
func (a applicationService) InviteUsers(invitedUsers []string) (*[]entities.User, error) {
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ type Repository interface {
|
|||
CreateUser(user *entities.User) (*entities.User, error)
|
||||
UpdateUser(user *entities.UserDetails) error
|
||||
IsAdministrator(user *entities.User) error
|
||||
UpdateUserState(username string, isDeactivate bool, deactivateTime int64) error
|
||||
UpdateUserState(ctx context.Context, username string, isDeactivate bool, deactivateTime int64) error
|
||||
InviteUsers(invitedUsers []string) (*[]entities.User, error)
|
||||
}
|
||||
|
||||
|
|
@ -94,8 +94,11 @@ func (r repository) InviteUsers(invitedUsers []string) (*[]entities.User, error)
|
|||
{"_id", bson.D{
|
||||
{"$nin", invitedUsers},
|
||||
}},
|
||||
{"deactivated_at", bson.D{
|
||||
{"$exists", false},
|
||||
{"$or", bson.A{
|
||||
bson.D{{"deactivated_at", bson.D{
|
||||
{"$exists", false},
|
||||
}}},
|
||||
bson.D{{"deactivated_at", nil}},
|
||||
}},
|
||||
})
|
||||
|
||||
|
|
@ -231,15 +234,15 @@ func (r repository) IsAdministrator(user *entities.User) error {
|
|||
}
|
||||
|
||||
// UpdateUserState updates the deactivated_at state of the user
|
||||
func (r repository) UpdateUserState(username string, isDeactivate bool, deactivateTime int64) error {
|
||||
func (r repository) UpdateUserState(ctx context.Context, username string, isDeactivate bool, deactivateTime int64) error {
|
||||
var err error
|
||||
if isDeactivate {
|
||||
_, err = r.Collection.UpdateOne(context.Background(), bson.M{"username": username}, bson.M{"$set": bson.M{
|
||||
_, err = r.Collection.UpdateOne(ctx, bson.M{"username": username}, bson.M{"$set": bson.M{
|
||||
"deactivated_at": deactivateTime,
|
||||
"is_removed": true,
|
||||
}})
|
||||
} else {
|
||||
_, err = r.Collection.UpdateOne(context.Background(), bson.M{"username": username}, bson.M{"$set": bson.M{
|
||||
_, err = r.Collection.UpdateOne(ctx, bson.M{"username": username}, bson.M{"$set": bson.M{
|
||||
"deactivated_at": nil,
|
||||
"is_removed": false,
|
||||
}})
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
"github.com/litmuschaos/litmus/chaoscenter/graphql/server/pkg/k8s"
|
||||
"github.com/litmuschaos/litmus/chaoscenter/graphql/server/utils"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/tidwall/gjson"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
||||
"io/ioutil"
|
||||
"os"
|
||||
|
|
@ -223,7 +223,7 @@ func ManifestParser(infra dbChaosInfra.ChaosInfra, rootPath string, config *Subs
|
|||
|
||||
// SendRequestToSubscriber sends events from the graphQL server to the subscribers listening for the requests
|
||||
func SendRequestToSubscriber(subscriberRequest SubscriberRequests, r store.StateData) {
|
||||
if utils.Config.InfraScope == string(model.InfraScopeCluster) {
|
||||
if utils.Config.ChaosCenterScope == string(model.InfraScopeCluster) {
|
||||
/*
|
||||
namespace = Obtain from WorkflowManifest or
|
||||
from frontend as a separate workflowNamespace field under ChaosWorkFlowRequest model
|
||||
|
|
@ -250,17 +250,19 @@ func SendRequestToSubscriber(subscriberRequest SubscriberRequests, r store.State
|
|||
|
||||
// SendExperimentToSubscriber sends the workflow to the subscriber to be handled
|
||||
func SendExperimentToSubscriber(projectID string, workflow *model.ChaosExperimentRequest, username *string, externalData *string, reqType string, r *store.StateData) {
|
||||
workflowNamespace := gjson.Get(workflow.ExperimentManifest, "metadata.namespace").String()
|
||||
|
||||
if workflowNamespace == "" {
|
||||
workflowNamespace = utils.Config.InfraNamespace
|
||||
var workflowObj unstructured.Unstructured
|
||||
err := yaml.Unmarshal([]byte(workflow.ExperimentManifest), &workflowObj)
|
||||
if err != nil {
|
||||
fmt.Errorf("error while parsing experiment manifest %v", err)
|
||||
}
|
||||
|
||||
SendRequestToSubscriber(SubscriberRequests{
|
||||
K8sManifest: workflow.ExperimentManifest,
|
||||
RequestType: reqType,
|
||||
ProjectID: projectID,
|
||||
InfraID: workflow.InfraID,
|
||||
Namespace: workflowNamespace,
|
||||
Namespace: workflowObj.GetNamespace(),
|
||||
ExternalData: externalData,
|
||||
Username: username,
|
||||
}, *r)
|
||||
|
|
|
|||
|
|
@ -24,7 +24,6 @@ import (
|
|||
var (
|
||||
decUnstructured = yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme)
|
||||
dr dynamic.ResourceInterface
|
||||
AgentNamespace = utils.Config.InfraNamespace
|
||||
)
|
||||
|
||||
// InfraResource This function handles cluster operations
|
||||
|
|
|
|||
|
|
@ -110,7 +110,6 @@ func addKubernetesCMDProbeProperties(newProbe *dbSchemaProbe.Probe, request mode
|
|||
// CMD Probe -> Source
|
||||
if request.KubernetesCMDProperties.Source != nil {
|
||||
var source *v1alpha1.SourceDetails
|
||||
fmt.Println("source", []byte(*request.KubernetesCMDProperties.Source), *request.KubernetesCMDProperties.Source)
|
||||
|
||||
err := json.Unmarshal([]byte(*request.KubernetesCMDProperties.Source), &source)
|
||||
if err != nil {
|
||||
|
|
@ -757,7 +756,6 @@ func GenerateExperimentManifestWithProbes(manifest string, projectID string) (ar
|
|||
if err != nil {
|
||||
return argoTypes.Workflow{}, fmt.Errorf("failed to fetch probe details, error: %s", err.Error())
|
||||
}
|
||||
fmt.Println("probes", probes)
|
||||
probeManifestString, err := GenerateProbeManifest(probe.GetOutputProbe(), annotationKey.Mode)
|
||||
if err != nil {
|
||||
return argoTypes.Workflow{}, fmt.Errorf("failed to generate probe manifest, error: %s", err.Error())
|
||||
|
|
|
|||
|
|
@ -9,9 +9,6 @@ type Configuration struct {
|
|||
InfraDeployments string `required:"true" split_words:"true"`
|
||||
DbServer string `required:"true" split_words:"true"`
|
||||
JwtSecret string `required:"true" split_words:"true"`
|
||||
SelfAgent string `required:"true" split_words:"true"`
|
||||
InfraScope string `required:"true" split_words:"true"`
|
||||
InfraNamespace string `required:"true" split_words:"true"`
|
||||
LitmusPortalNamespace string `required:"true" split_words:"true"`
|
||||
DbUser string `required:"true" split_words:"true"`
|
||||
DbPassword string `required:"true" split_words:"true"`
|
||||
|
|
@ -24,7 +21,6 @@ type Configuration struct {
|
|||
LitmusChaosRunnerImage string `required:"true" split_words:"true"`
|
||||
LitmusChaosExporterImage string `required:"true" split_words:"true"`
|
||||
ContainerRuntimeExecutor string `required:"true" split_words:"true"`
|
||||
HubBranchName string `required:"true" split_words:"true"`
|
||||
WorkflowHelperImageVersion string `required:"true" split_words:"true"`
|
||||
ServerServiceName string `split_words:"true"`
|
||||
NodeName string `split_words:"true"`
|
||||
|
|
|
|||
|
|
@ -207,11 +207,12 @@ func AgentRegister(infraData map[string]string) (bool, error) {
|
|||
|
||||
func applyRequest(requestType string, obj *unstructured.Unstructured) (*unstructured.Unstructured, error) {
|
||||
ctx := context.TODO()
|
||||
|
||||
logrus.Info("Applying request for kind: ", obj.GetKind(), ", resource name: ", obj.GetName(), ", and namespace: ", obj.GetNamespace())
|
||||
if requestType == "create" {
|
||||
response, err := dr.Create(ctx, obj, metav1.CreateOptions{})
|
||||
if k8s_errors.IsAlreadyExists(err) {
|
||||
// This doesnt ever happen even if it does already exist
|
||||
// This doesn't ever happen even if it does already exist
|
||||
logrus.Info("Already exists")
|
||||
return nil, nil
|
||||
}
|
||||
|
|
@ -254,7 +255,6 @@ func applyRequest(requestType string, obj *unstructured.Unstructured) (*unstruct
|
|||
}
|
||||
logrus.Info("successfully deleted for kind: ", obj.GetKind(), ", resource name: ", obj.GetName(), ", and namespace: ", obj.GetNamespace())
|
||||
} else if obj.GetLabels() != nil {
|
||||
fmt.Println(obj)
|
||||
objLabels := obj.GetLabels()
|
||||
delete(objLabels, "updated_by")
|
||||
err = dr.DeleteCollection(ctx, metav1.DeleteOptions{}, metav1.ListOptions{LabelSelector: labels.FormatLabels(objLabels)})
|
||||
|
|
@ -338,7 +338,6 @@ func AgentOperations(infraAction types.Action) (*unstructured.Unstructured, erro
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Obtain REST interface for the GVR
|
||||
if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
|
||||
// namespaced resources should specify the namespace
|
||||
|
|
|
|||
|
|
@ -129,7 +129,7 @@ func RequestProcessor(infraData map[string]string, r types.RawData) error {
|
|||
} else if strings.Index("create update delete get", strings.ToLower(r.Payload.Data.InfraConnect.Action.RequestType)) >= 0 {
|
||||
_, err := k8s.AgentOperations(r.Payload.Data.InfraConnect.Action)
|
||||
if err != nil {
|
||||
return errors.New("error performing infra operationn: " + err.Error())
|
||||
return errors.New("error performing infra operation: " + err.Error())
|
||||
}
|
||||
} else if strings.Index("workflow_delete workflow_run_delete ", strings.ToLower(r.Payload.Data.InfraConnect.Action.RequestType)) >= 0 {
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,779 @@
|
|||
### RBAC Manifests
|
||||
## If SELF_AGENT="true" then these permissions are required to apply
|
||||
## https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/1b_argo_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: argo-cr-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [pods, pods/exec]
|
||||
verbs: [create, get, list, watch, update, patch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [get, watch, list]
|
||||
- apiGroups: [""]
|
||||
resources: [persistentvolumeclaims]
|
||||
verbs: [create, delete]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [workflows, workflows/finalizers]
|
||||
verbs: [get, list, watch, update, patch, delete, create]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources:
|
||||
[
|
||||
workflowtemplates,
|
||||
workflowtemplates/finalizers,
|
||||
clusterworkflowtemplates,
|
||||
clusterworkflowtemplates/finalizers,
|
||||
workflowtasksets,
|
||||
]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [workflowtaskresults]
|
||||
verbs: [list, watch, deletecollection]
|
||||
- apiGroups: [""]
|
||||
resources: [serviceaccounts]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [cronworkflows, cronworkflows/finalizers]
|
||||
verbs: [get, list, watch, update, patch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, patch]
|
||||
- apiGroups: [policy]
|
||||
resources: [poddisruptionbudgets]
|
||||
verbs: [create, get, delete]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: argo-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: argo-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/2b_litmus_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: litmus-cluster-scope-for-litmusportal-server
|
||||
labels:
|
||||
app.kubernetes.io/name: litmus
|
||||
# provide unique instance-id if applicable
|
||||
# app.kubernetes.io/instance: litmus-abcxzy
|
||||
app.kubernetes.io/version: 3.0.0
|
||||
app.kubernetes.io/component: operator-clusterrole
|
||||
app.kubernetes.io/part-of: litmus
|
||||
app.kubernetes.io/managed-by: kubectl
|
||||
name: litmus-cluster-scope-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [replicationcontrollers, secrets]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, daemonsets, replicasets, statefulsets]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [batch]
|
||||
resources: [jobs]
|
||||
verbs: [get, list, deletecollection]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [rollouts]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [""]
|
||||
resources: [pods, configmaps, events, services]
|
||||
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults]
|
||||
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
|
||||
- apiGroups: [apiextensions.k8s.io]
|
||||
resources: [customresourcedefinitions]
|
||||
verbs: [list, get]
|
||||
- apiGroups: ["litmuschaos.io"]
|
||||
resources: ["chaosengines/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "create", "list", "update", "delete"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: litmus-cluster-scope-crb-for-litmusportal-server
|
||||
labels:
|
||||
app.kubernetes.io/name: litmus
|
||||
# provide unique instance-id if applicable
|
||||
# app.kubernetes.io/instance: litmus-abcxzy
|
||||
app.kubernetes.io/version: 3.0.0
|
||||
app.kubernetes.io/component: operator-clusterrolebinding
|
||||
app.kubernetes.io/part-of: litmus
|
||||
app.kubernetes.io/managed-by: kubectl
|
||||
name: litmus-cluster-scope-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: litmus-cluster-scope-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/3a_agents_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: litmus-admin-cr-for-litmusportal-server
|
||||
labels:
|
||||
name: litmus-admin-cr-for-litmusportal-server
|
||||
rules:
|
||||
# ***************************************************************************************
|
||||
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
|
||||
# ***************************************************************************************
|
||||
|
||||
# The chaos operator watches the chaosengine resource and orchestartes the chaos experiment..
|
||||
## .. by creating the chaos-runner
|
||||
|
||||
# for creating and monitoring the chaos-runner pods
|
||||
- apiGroups: [""]
|
||||
resources: [pods, events]
|
||||
verbs: [create, delete, get, list, patch, update, deletecollection]
|
||||
|
||||
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
|
||||
- apiGroups: [""]
|
||||
resources: [secrets, configmaps]
|
||||
verbs: [get, list]
|
||||
|
||||
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
# for configuring and monitor the experiment job by chaos-runner pod
|
||||
- apiGroups: [batch]
|
||||
resources: [jobs]
|
||||
verbs: [create, list, get, delete, deletecollection]
|
||||
|
||||
# ********************************************************************
|
||||
# Permissions needed for creation and discovery of chaos experiments
|
||||
# ********************************************************************
|
||||
|
||||
# The helper pods are created by experiment to perform the actual chaos injection ...
|
||||
# ... for a period of chaos duration
|
||||
|
||||
# for creating and deleting the helper or target app pod and events by experiment
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [create, delete, deletecollection]
|
||||
|
||||
# for creating and monitoring the events for chaos operations
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, delete, get, list, patch, update, deletecollection]
|
||||
|
||||
# for monitoring the helper and target app pod
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [get, list, patch, update]
|
||||
|
||||
# for creating and managing to execute comands inside target container
|
||||
- apiGroups: [""]
|
||||
resources: [pods/exec, pods/eviction, replicationcontrollers]
|
||||
verbs: [get, list, create]
|
||||
|
||||
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
# for creating and monitoring liveness services or monitoring target app services during chaos injection
|
||||
- apiGroups: [""]
|
||||
resources: [services]
|
||||
verbs: [create, delete, get, list, delete, deletecollection]
|
||||
|
||||
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, statefulsets]
|
||||
verbs: [list, get, patch, update, create, delete]
|
||||
|
||||
# for checking the app parent resources as replicasets and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [replicasets]
|
||||
verbs: [list, get]
|
||||
|
||||
# for checking the app parent resources as deamonsets and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [daemonsets]
|
||||
verbs: [list, get, delete]
|
||||
|
||||
# for checking (openshift) app parent resources if they are eligible chaos candidates
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [list, get]
|
||||
|
||||
# for checking (argo) app parent resources if they are eligible chaos candidates
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [rollouts]
|
||||
verbs: [list, get]
|
||||
|
||||
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults]
|
||||
verbs: [create, list, get, patch, update, delete]
|
||||
|
||||
# for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
|
||||
- apiGroups: [""]
|
||||
resources: [nodes]
|
||||
verbs: [patch, get, list, update]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: litmus-admin-crb-for-litmusportal-server
|
||||
labels:
|
||||
name: litmus-admin-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: litmus-admin-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: chaos-cr-for-litmusportal-server
|
||||
rules:
|
||||
# for managing the pods created by workflow controller to implement individual steps in the workflow
|
||||
- apiGroups: [""]
|
||||
resources: [pods, services, namespaces]
|
||||
verbs: [create, get, watch, patch, delete, list]
|
||||
|
||||
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log, secrets, configmaps]
|
||||
verbs: [get, watch, create, delete, patch]
|
||||
|
||||
# for creation & deletion of application in predefined workflows
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, statefulsets]
|
||||
verbs: [get, watch, patch, create, delete]
|
||||
|
||||
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults, chaosschedules]
|
||||
verbs: [create, list, get, patch, delete, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: chaos-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: chaos-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: subscriber-cr-for-litmusportal-server
|
||||
namespace: litmus
|
||||
labels:
|
||||
name: subscriber-cr-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps, secrets]
|
||||
verbs: [get, create, delete, update]
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [""]
|
||||
resources: [pods, namespaces, nodes, services]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosschedules, chaosresults]
|
||||
verbs: [get, list, create, delete, update, watch]
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, daemonsets, replicasets, statefulsets]
|
||||
verbs: [get, list, delete, deletecollection]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources:
|
||||
[
|
||||
workflows,
|
||||
workflows/finalizers,
|
||||
workflowtemplates,
|
||||
workflowtemplates/finalizers,
|
||||
cronworkflows,
|
||||
cronworkflows/finalizers,
|
||||
clusterworkflowtemplates,
|
||||
clusterworkflowtemplates/finalizers,
|
||||
rollouts,
|
||||
]
|
||||
verbs: [get, list, create, delete, update, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: subscriber-crb-for-litmusportal-server
|
||||
namespace: litmus
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: subscriber-cr-for-litmusportal-server
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: event-tracker-cr-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [eventtracker.litmuschaos.io]
|
||||
resources: [eventtrackerpolicies]
|
||||
verbs: [create, delete, get, list, patch, update, watch]
|
||||
- apiGroups: [eventtracker.litmuschaos.io]
|
||||
resources: [eventtrackerpolicies/status]
|
||||
verbs: [get, patch, update]
|
||||
- apiGroups: ["", extensions, apps]
|
||||
resources:
|
||||
[deployments, daemonsets, statefulsets, pods, configmaps, secrets]
|
||||
verbs: [get, list, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: event-tracker-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: event-tracker-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
# litmus-server-cr is used by the litmusportal-server
|
||||
# If SELF_AGENT=false, then only litmus-server-cr and litmus-server-crb are required.
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: litmus-server-cr
|
||||
rules:
|
||||
- apiGroups: [networking.k8s.io, extensions]
|
||||
resources: [ingresses]
|
||||
verbs: [get]
|
||||
- apiGroups: [""]
|
||||
resources: [services, nodes, pods/log]
|
||||
verbs: [get, watch]
|
||||
- apiGroups: [apiextensions.k8s.io]
|
||||
resources: [customresourcedefinitions]
|
||||
verbs: [create]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments]
|
||||
verbs: [create]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [get]
|
||||
- apiGroups: [""]
|
||||
resources: [serviceaccounts]
|
||||
verbs: [create]
|
||||
- apiGroups: [rbac.authorization.k8s.io]
|
||||
resources: [rolebindings, roles, clusterrolebindings, clusterroles]
|
||||
verbs: [create]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: litmus-server-crb
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: litmus-server-cr
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
## Control plane manifests
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: litmus
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: litmus-portal-admin-secret
|
||||
namespace: litmus
|
||||
stringData:
|
||||
JWT_SECRET: "litmus-portal@123"
|
||||
DB_USER: "root"
|
||||
DB_PASSWORD: "1234"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: litmus-portal-admin-config
|
||||
namespace: litmus
|
||||
data:
|
||||
DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless.litmus.svc.cluster.local:27017,my-release-mongodb-1.my-release-mongodb-headless.litmus.svc.cluster.local:27017,my-release-mongodb-2.my-release-mongodb-headless.litmus.svc.cluster.local:27017/admin
|
||||
AGENT_SCOPE: cluster
|
||||
AGENT_NAMESPACE: litmus
|
||||
VERSION: "3.0.0"
|
||||
SKIP_SSL_VERIFY: "false"
|
||||
# Configurations if you are using dex for OAuth
|
||||
DEX_ENABLED: "false"
|
||||
OIDC_ISSUER: "http://<Your Domain>:32000"
|
||||
DEX_OAUTH_CALLBACK_URL: "http://<litmus-portal frontend exposed URL>:8080/auth/dex/callback"
|
||||
DEX_OAUTH_CLIENT_ID: "LitmusPortalAuthBackend"
|
||||
DEX_OAUTH_CLIENT_SECRET: "ZXhhbXBsZS1hcHAtc2VjcmV0"
|
||||
OAuthJwtSecret: "litmus-oauth@123"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: litmusportal-frontend-nginx-configuration
|
||||
namespace: litmus
|
||||
data:
|
||||
default.conf: |
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
proxy_temp_path /tmp/proxy_temp_path;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
server {
|
||||
listen 8185 default_server;
|
||||
root /opt/chaos;
|
||||
|
||||
location /health {
|
||||
return 200;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_http_version 1.1;
|
||||
add_header Cache-Control "no-cache";
|
||||
try_files $uri /index.html;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
location /auth/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-auth-server-service:9003/";
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-server-service:9002/";
|
||||
}
|
||||
|
||||
location /ws/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-server-service:9002/";
|
||||
}
|
||||
}
|
||||
}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-frontend
|
||||
namespace: litmus
|
||||
labels:
|
||||
component: litmusportal-frontend
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-frontend
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-frontend
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: litmusportal-frontend
|
||||
image: litmuschaos/litmusportal-frontend:3.0.0
|
||||
imagePullPolicy: Always
|
||||
# securityContext:
|
||||
# runAsUser: 2000
|
||||
# allowPrivilegeEscalation: false
|
||||
# runAsNonRoot: true
|
||||
ports:
|
||||
- containerPort: 8185
|
||||
volumeMounts:
|
||||
- name: nginx-config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
volumes:
|
||||
- name: nginx-config
|
||||
configMap:
|
||||
name: litmusportal-frontend-nginx-configuration
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-frontend-service
|
||||
namespace: litmus
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: http
|
||||
port: 9091
|
||||
targetPort: 8185
|
||||
selector:
|
||||
component: litmusportal-frontend
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-server
|
||||
namespace: litmus
|
||||
labels:
|
||||
component: litmusportal-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-server
|
||||
spec:
|
||||
volumes:
|
||||
- name: gitops-storage
|
||||
emptyDir: {}
|
||||
- name: hub-storage
|
||||
emptyDir: {}
|
||||
containers:
|
||||
- name: graphql-server
|
||||
image: litmuschaos/litmusportal-server:3.0.0
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/
|
||||
name: gitops-storage
|
||||
- mountPath: /tmp/version
|
||||
name: hub-storage
|
||||
securityContext:
|
||||
runAsUser: 2000
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
env:
|
||||
# if self-signed certificate are used pass the k8s tls secret name created in portal ns, to allow agents to use tls for communication
|
||||
- name: TLS_SECRET_NAME
|
||||
value: ""
|
||||
- name: LITMUS_PORTAL_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: CHAOS_CENTER_SCOPE
|
||||
value: "cluster"
|
||||
- name: SUBSCRIBER_IMAGE
|
||||
value: "litmuschaos/litmusportal-subscriber:3.0.0"
|
||||
- name: EVENT_TRACKER_IMAGE
|
||||
value: "litmuschaos/litmusportal-event-tracker:3.0.0"
|
||||
- name: ARGO_WORKFLOW_CONTROLLER_IMAGE
|
||||
value: "litmuschaos/workflow-controller:v3.3.1"
|
||||
- name: ARGO_WORKFLOW_EXECUTOR_IMAGE
|
||||
value: "litmuschaos/argoexec:v3.3.1"
|
||||
- name: LITMUS_CHAOS_OPERATOR_IMAGE
|
||||
value: "litmuschaos/chaos-operator:3.0.0-beta10"
|
||||
- name: LITMUS_CHAOS_RUNNER_IMAGE
|
||||
value: "litmuschaos/chaos-runner:3.0.0-beta10"
|
||||
- name: LITMUS_CHAOS_EXPORTER_IMAGE
|
||||
value: "litmuschaos/chaos-exporter:3.0.0-beta10"
|
||||
- name: SERVER_SERVICE_NAME
|
||||
value: "litmusportal-server-service"
|
||||
- name: INFRA_DEPLOYMENTS
|
||||
value: '["app=chaos-exporter", "name=chaos-operator", "app=workflow-controller"]'
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
- name: SELF_AGENT_NODE_SELECTOR
|
||||
value: ""
|
||||
- name: SELF_AGENT_TOLERATIONS
|
||||
value: ""
|
||||
- name: CHAOS_CENTER_UI_ENDPOINT
|
||||
value: ""
|
||||
- name: INGRESS
|
||||
value: "false"
|
||||
- name: INGRESS_NAME
|
||||
value: "litmus-ingress"
|
||||
- name: CONTAINER_RUNTIME_EXECUTOR
|
||||
value: "k8sapi"
|
||||
- name: DEFAULT_HUB_BRANCH_NAME
|
||||
value: "master"
|
||||
- name: LITMUS_AUTH_GRPC_ENDPOINT
|
||||
value: "litmusportal-auth-server-service.litmus.svc.cluster.local"
|
||||
- name: LITMUS_AUTH_GRPC_PORT
|
||||
value: ":3030"
|
||||
- name: WORKFLOW_HELPER_IMAGE_VERSION
|
||||
value: "3.0.0-beta10"
|
||||
- name: REMOTE_HUB_MAX_SIZE
|
||||
value: "5000000"
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
- containerPort: 8000
|
||||
imagePullPolicy: Always
|
||||
serviceAccountName: litmus-server-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-server-service
|
||||
namespace: litmus
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: graphql-server
|
||||
port: 9002
|
||||
targetPort: 8080
|
||||
- name: graphql-rpc-server
|
||||
port: 8000
|
||||
targetPort: 8000
|
||||
selector:
|
||||
component: litmusportal-server
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-auth-server
|
||||
namespace: litmus
|
||||
labels:
|
||||
component: litmusportal-auth-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-auth-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-auth-server
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: auth-server
|
||||
image: litmuschaos/litmusportal-auth-server:3.0.0
|
||||
securityContext:
|
||||
runAsUser: 2000
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
env:
|
||||
- name: STRICT_PASSWORD_POLICY
|
||||
value: "false"
|
||||
- name: ADMIN_USERNAME
|
||||
value: "admin"
|
||||
- name: ADMIN_PASSWORD
|
||||
value: "litmus"
|
||||
- name: LITMUS_GQL_GRPC_ENDPOINT
|
||||
value: "litmusportal-server-service.litmus.svc.cluster.local"
|
||||
- name: LITMUS_GQL_GRPC_PORT
|
||||
value: ":8000"
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
- containerPort: 3030
|
||||
imagePullPolicy: Always
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-auth-server-service
|
||||
namespace: litmus
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: auth-server
|
||||
port: 9003
|
||||
targetPort: 3000
|
||||
- name: auth-rpc-server
|
||||
port: 3030
|
||||
targetPort: 3030
|
||||
selector:
|
||||
component: litmusportal-auth-server
|
||||
|
|
@ -0,0 +1,808 @@
|
|||
### RBAC Manifests
|
||||
## If SELF_AGENT="true" then these permissions are required to apply
|
||||
## https://github.com/litmuschaos/litmus/blob/master/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: argo-cr-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [pods, pods/exec]
|
||||
verbs: [create, get, list, watch, update, patch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [get, watch, list]
|
||||
- apiGroups: [""]
|
||||
resources: [persistentvolumeclaims]
|
||||
verbs: [create, delete]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [workflows, workflows/finalizers]
|
||||
verbs: [get, list, watch, update, patch, delete, create]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources:
|
||||
[
|
||||
workflowtemplates,
|
||||
workflowtemplates/finalizers,
|
||||
clusterworkflowtemplates,
|
||||
clusterworkflowtemplates/finalizers,
|
||||
workflowtasksets,
|
||||
]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [workflowtaskresults]
|
||||
verbs: [list, watch, deletecollection]
|
||||
- apiGroups: [""]
|
||||
resources: [serviceaccounts]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [cronworkflows, cronworkflows/finalizers]
|
||||
verbs: [get, list, watch, update, patch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, patch]
|
||||
- apiGroups: [policy]
|
||||
resources: [poddisruptionbudgets]
|
||||
verbs: [create, get, delete]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: argo-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: argo-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/2b_litmus_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: litmus-cluster-scope-for-litmusportal-server
|
||||
labels:
|
||||
app.kubernetes.io/name: litmus
|
||||
# provide unique instance-id if applicable
|
||||
# app.kubernetes.io/instance: litmus-abcxzy
|
||||
app.kubernetes.io/version: 3.0.0
|
||||
app.kubernetes.io/component: operator-clusterrole
|
||||
app.kubernetes.io/part-of: litmus
|
||||
app.kubernetes.io/managed-by: kubectl
|
||||
name: litmus-cluster-scope-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [replicationcontrollers, secrets]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, daemonsets, replicasets, statefulsets]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [batch]
|
||||
resources: [jobs]
|
||||
verbs: [get, list, deletecollection]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [rollouts]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [""]
|
||||
resources: [pods, configmaps, events, services]
|
||||
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults]
|
||||
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
|
||||
- apiGroups: [apiextensions.k8s.io]
|
||||
resources: [customresourcedefinitions]
|
||||
verbs: [list, get]
|
||||
- apiGroups: ["litmuschaos.io"]
|
||||
resources: ["chaosengines/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "create", "list", "update", "delete"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: litmus-cluster-scope-crb-for-litmusportal-server
|
||||
labels:
|
||||
app.kubernetes.io/name: litmus
|
||||
# provide unique instance-id if applicable
|
||||
# app.kubernetes.io/instance: litmus-abcxzy
|
||||
app.kubernetes.io/version: 3.0.0
|
||||
app.kubernetes.io/component: operator-clusterrolebinding
|
||||
app.kubernetes.io/part-of: litmus
|
||||
app.kubernetes.io/managed-by: kubectl
|
||||
name: litmus-cluster-scope-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: litmus-cluster-scope-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/3a_agents_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: litmus-admin-cr-for-litmusportal-server
|
||||
labels:
|
||||
name: litmus-admin-cr-for-litmusportal-server
|
||||
rules:
|
||||
# ***************************************************************************************
|
||||
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
|
||||
# ***************************************************************************************
|
||||
|
||||
# The chaos operator watches the chaosengine resource and orchestartes the chaos experiment..
|
||||
## .. by creating the chaos-runner
|
||||
|
||||
# for creating and monitoring the chaos-runner pods
|
||||
- apiGroups: [""]
|
||||
resources: [pods, events]
|
||||
verbs: [create, delete, get, list, patch, update, deletecollection]
|
||||
|
||||
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
|
||||
- apiGroups: [""]
|
||||
resources: [secrets, configmaps]
|
||||
verbs: [get, list]
|
||||
|
||||
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
# for configuring and monitor the experiment job by chaos-runner pod
|
||||
- apiGroups: [batch]
|
||||
resources: [jobs]
|
||||
verbs: [create, list, get, delete, deletecollection]
|
||||
|
||||
# ********************************************************************
|
||||
# Permissions needed for creation and discovery of chaos experiments
|
||||
# ********************************************************************
|
||||
|
||||
# The helper pods are created by experiment to perform the actual chaos injection ...
|
||||
# ... for a period of chaos duration
|
||||
|
||||
# for creating and deleting the helper or target app pod and events by experiment
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [create, delete, deletecollection]
|
||||
|
||||
# for creating and monitoring the events for chaos operations
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, delete, get, list, patch, update, deletecollection]
|
||||
|
||||
# for monitoring the helper and target app pod
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [get, list, patch, update]
|
||||
|
||||
# for creating and managing to execute comands inside target container
|
||||
- apiGroups: [""]
|
||||
resources: [pods/exec, pods/eviction, replicationcontrollers]
|
||||
verbs: [get, list, create]
|
||||
|
||||
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
# for creating and monitoring liveness services or monitoring target app services during chaos injection
|
||||
- apiGroups: [""]
|
||||
resources: [services]
|
||||
verbs: [create, delete, get, list, delete, deletecollection]
|
||||
|
||||
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, statefulsets]
|
||||
verbs: [list, get, patch, update, create, delete]
|
||||
|
||||
# for checking the app parent resources as replicasets and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [replicasets]
|
||||
verbs: [list, get]
|
||||
|
||||
# for checking the app parent resources as deamonsets and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [daemonsets]
|
||||
verbs: [list, get, delete]
|
||||
|
||||
# for checking (openshift) app parent resources if they are eligible chaos candidates
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [list, get]
|
||||
|
||||
# for checking (argo) app parent resources if they are eligible chaos candidates
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [rollouts]
|
||||
verbs: [list, get]
|
||||
|
||||
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults]
|
||||
verbs: [create, list, get, patch, update, delete]
|
||||
|
||||
# for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
|
||||
- apiGroups: [""]
|
||||
resources: [nodes]
|
||||
verbs: [patch, get, list, update]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: litmus-admin-crb-for-litmusportal-server
|
||||
labels:
|
||||
name: litmus-admin-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: litmus-admin-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: chaos-cr-for-litmusportal-server
|
||||
rules:
|
||||
# for managing the pods created by workflow controller to implement individual steps in the workflow
|
||||
- apiGroups: [""]
|
||||
resources: [pods, services, namespaces]
|
||||
verbs: [create, get, watch, patch, delete, list]
|
||||
|
||||
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log, secrets, configmaps]
|
||||
verbs: [get, watch, create, delete, patch]
|
||||
|
||||
# for creation & deletion of application in predefined workflows
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, statefulsets]
|
||||
verbs: [get, watch, patch, create, delete]
|
||||
|
||||
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults, chaosschedules]
|
||||
verbs: [create, list, get, patch, delete, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: chaos-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: chaos-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: subscriber-cr-for-litmusportal-server
|
||||
namespace: litmus
|
||||
labels:
|
||||
name: subscriber-cr-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps, secrets]
|
||||
verbs: [get, create, delete, update]
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [""]
|
||||
resources: [pods, namespaces, nodes, services]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosschedules, chaosresults]
|
||||
verbs: [get, list, create, delete, update, watch]
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, daemonsets, replicasets, statefulsets]
|
||||
verbs: [get, list, delete, deletecollection]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources:
|
||||
[
|
||||
workflows,
|
||||
workflows/finalizers,
|
||||
workflowtemplates,
|
||||
workflowtemplates/finalizers,
|
||||
cronworkflows,
|
||||
cronworkflows/finalizers,
|
||||
clusterworkflowtemplates,
|
||||
clusterworkflowtemplates/finalizers,
|
||||
rollouts,
|
||||
]
|
||||
verbs: [get, list, create, delete, update, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: subscriber-crb-for-litmusportal-server
|
||||
namespace: litmus
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: subscriber-cr-for-litmusportal-server
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: event-tracker-cr-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [eventtracker.litmuschaos.io]
|
||||
resources: [eventtrackerpolicies]
|
||||
verbs: [create, delete, get, list, patch, update, watch]
|
||||
- apiGroups: [eventtracker.litmuschaos.io]
|
||||
resources: [eventtrackerpolicies/status]
|
||||
verbs: [get, patch, update]
|
||||
- apiGroups: ["", extensions, apps]
|
||||
resources:
|
||||
[deployments, daemonsets, statefulsets, pods, configmaps, secrets]
|
||||
verbs: [get, list, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: event-tracker-crb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: event-tracker-cr-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
# litmus-server-cr is used by the litmusportal-server
|
||||
# If SELF_AGENT=false, then only litmus-server-cr and litmus-server-crb are required.
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: litmus-server-cr
|
||||
rules:
|
||||
- apiGroups: [networking.k8s.io, extensions]
|
||||
resources: [ingresses]
|
||||
verbs: [get]
|
||||
- apiGroups: [""]
|
||||
resources: [services, nodes, pods/log]
|
||||
verbs: [get, watch]
|
||||
- apiGroups: [apiextensions.k8s.io]
|
||||
resources: [customresourcedefinitions]
|
||||
verbs: [create]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments]
|
||||
verbs: [create]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [get]
|
||||
- apiGroups: [""]
|
||||
resources: [serviceaccounts]
|
||||
verbs: [create]
|
||||
- apiGroups: [rbac.authorization.k8s.io]
|
||||
resources: [rolebindings, roles, clusterrolebindings, clusterroles]
|
||||
verbs: [create]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: litmus-server-crb
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: litmus-server-cr
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
## Control plane manifests
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: litmus
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: litmus-server-account
|
||||
namespace: litmus
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: litmus-portal-admin-secret
|
||||
namespace: litmus
|
||||
stringData:
|
||||
JWT_SECRET: "litmus-portal@123"
|
||||
DB_USER: "root"
|
||||
DB_PASSWORD: "1234"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: litmus-portal-admin-config
|
||||
namespace: litmus
|
||||
data:
|
||||
DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless.litmus.svc.cluster.local:27017,my-release-mongodb-1.my-release-mongodb-headless.litmus.svc.cluster.local:27017,my-release-mongodb-2.my-release-mongodb-headless.litmus.svc.cluster.local:27017/admin
|
||||
INFRA_SCOPE: cluster
|
||||
INFRA_NAMESPACE: litmus
|
||||
VERSION: "3.0.0"
|
||||
SKIP_SSL_VERIFY: "false"
|
||||
# Configurations if you are using dex for OAuth
|
||||
DEX_ENABLED: "false"
|
||||
OIDC_ISSUER: "http://<Your Domain>:32000"
|
||||
DEX_OAUTH_CALLBACK_URL: "http://<litmus-portal frontend exposed URL>:8080/auth/dex/callback"
|
||||
DEX_OAUTH_CLIENT_ID: "LitmusPortalAuthBackend"
|
||||
DEX_OAUTH_CLIENT_SECRET: "ZXhhbXBsZS1hcHAtc2VjcmV0"
|
||||
OAuthJwtSecret: "litmus-oauth@123"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: litmusportal-frontend-nginx-configuration
|
||||
namespace: litmus
|
||||
data:
|
||||
nginx.conf: |
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
proxy_temp_path /tmp/proxy_temp_path;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
server {
|
||||
listen 8185 default_server;
|
||||
root /opt/chaos;
|
||||
|
||||
location /health {
|
||||
return 200;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_http_version 1.1;
|
||||
add_header Cache-Control "no-cache";
|
||||
try_files $uri /index.html;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
location /auth/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-auth-server-service:9003/";
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-server-service:9002/";
|
||||
}
|
||||
|
||||
location /ws/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-server-service:9002/";
|
||||
}
|
||||
}
|
||||
}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-frontend
|
||||
namespace: litmus
|
||||
labels:
|
||||
component: litmusportal-frontend
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-frontend
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-frontend
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: litmusportal-frontend
|
||||
image: litmuschaos/litmusportal-frontend:3.0.0
|
||||
imagePullPolicy: Always
|
||||
# securityContext:
|
||||
# runAsUser: 2000
|
||||
# allowPrivilegeEscalation: false
|
||||
# runAsNonRoot: true
|
||||
ports:
|
||||
- containerPort: 8185
|
||||
resources:
|
||||
requests:
|
||||
memory: "150Mi"
|
||||
cpu: "125m"
|
||||
ephemeral-storage: "500Mi"
|
||||
limits:
|
||||
memory: "512Mi"
|
||||
cpu: "550m"
|
||||
ephemeral-storage: "1Gi"
|
||||
volumeMounts:
|
||||
- name: nginx-config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
volumes:
|
||||
- name: nginx-config
|
||||
configMap:
|
||||
name: litmusportal-frontend-nginx-configuration
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-frontend-service
|
||||
namespace: litmus
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: http
|
||||
port: 9091
|
||||
targetPort: 8185
|
||||
selector:
|
||||
component: litmusportal-frontend
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-server
|
||||
namespace: litmus
|
||||
labels:
|
||||
component: litmusportal-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-server
|
||||
spec:
|
||||
volumes:
|
||||
- name: gitops-storage
|
||||
emptyDir: {}
|
||||
- name: hub-storage
|
||||
emptyDir: {}
|
||||
containers:
|
||||
- name: graphql-server
|
||||
image: litmuschaos/litmusportal-server:3.0.0
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/
|
||||
name: gitops-storage
|
||||
- mountPath: /tmp/version
|
||||
name: hub-storage
|
||||
securityContext:
|
||||
runAsUser: 2000
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
env:
|
||||
# if self-signed certificate are used pass the k8s tls secret name created in portal ns, to allow agents to use tls for communication
|
||||
- name: TLS_SECRET_NAME
|
||||
value: ""
|
||||
- name: LITMUS_PORTAL_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: CHAOS_CENTER_SCOPE
|
||||
value: "cluster"
|
||||
- name: SUBSCRIBER_IMAGE
|
||||
value: "litmuschaos/litmusportal-subscriber:3.0.0"
|
||||
- name: EVENT_TRACKER_IMAGE
|
||||
value: "litmuschaos/litmusportal-event-tracker:3.0.0"
|
||||
- name: ARGO_WORKFLOW_CONTROLLER_IMAGE
|
||||
value: "litmuschaos/workflow-controller:v3.3.1"
|
||||
- name: ARGO_WORKFLOW_EXECUTOR_IMAGE
|
||||
value: "litmuschaos/argoexec:v3.3.1"
|
||||
- name: LITMUS_CHAOS_OPERATOR_IMAGE
|
||||
value: "litmuschaos/chaos-operator:3.0.0-beta10"
|
||||
- name: LITMUS_CHAOS_RUNNER_IMAGE
|
||||
value: "litmuschaos/chaos-runner:3.0.0-beta10"
|
||||
- name: LITMUS_CHAOS_EXPORTER_IMAGE
|
||||
value: "litmuschaos/chaos-exporter:3.0.0-beta10"
|
||||
- name: SERVER_SERVICE_NAME
|
||||
value: "litmusportal-server-service"
|
||||
- name: INFRA_DEPLOYMENTS
|
||||
value: '["app=chaos-exporter", "name=chaos-operator", "app=workflow-controller"]'
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
- name: SELF_AGENT_NODE_SELECTOR
|
||||
value: ""
|
||||
- name: SELF_AGENT_TOLERATIONS
|
||||
value: ""
|
||||
- name: CHAOS_CENTER_UI_ENDPOINT
|
||||
value: ""
|
||||
- name: INGRESS
|
||||
value: "false"
|
||||
- name: INGRESS_NAME
|
||||
value: "litmus-ingress"
|
||||
- name: CONTAINER_RUNTIME_EXECUTOR
|
||||
value: "k8sapi"
|
||||
- name: DEFAULT_HUB_BRANCH_NAME
|
||||
value: "master"
|
||||
- name: LITMUS_AUTH_GRPC_ENDPOINT
|
||||
value: "litmusportal-auth-server-service.litmus.svc.cluster.local"
|
||||
- name: LITMUS_AUTH_GRPC_PORT
|
||||
value: ":3030"
|
||||
- name: WORKFLOW_HELPER_IMAGE_VERSION
|
||||
value: "3.0.0-beta10"
|
||||
- name: REMOTE_HUB_MAX_SIZE
|
||||
value: "5000000"
|
||||
- name: INFRA_COMPATIBLE_VERSIONS
|
||||
value: '["0.3.0", "0.2.0", "0.1.0","ci"]'
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
- containerPort: 8000
|
||||
imagePullPolicy: Always
|
||||
resources:
|
||||
requests:
|
||||
memory: "250Mi"
|
||||
cpu: "225m"
|
||||
ephemeral-storage: "500Mi"
|
||||
limits:
|
||||
memory: "712Mi"
|
||||
cpu: "550m"
|
||||
ephemeral-storage: "1Gi"
|
||||
serviceAccountName: litmus-server-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-server-service
|
||||
namespace: litmus
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: graphql-server
|
||||
port: 9002
|
||||
targetPort: 8080
|
||||
- name: graphql-rpc-server
|
||||
port: 8000
|
||||
targetPort: 8000
|
||||
selector:
|
||||
component: litmusportal-server
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-auth-server
|
||||
namespace: litmus
|
||||
labels:
|
||||
component: litmusportal-auth-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-auth-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-auth-server
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: auth-server
|
||||
image: litmuschaos/litmusportal-auth-server:3.0.0
|
||||
securityContext:
|
||||
runAsUser: 2000
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
env:
|
||||
- name: STRICT_PASSWORD_POLICY
|
||||
value: "false"
|
||||
- name: ADMIN_USERNAME
|
||||
value: "admin"
|
||||
- name: ADMIN_PASSWORD
|
||||
value: "litmus"
|
||||
- name: LITMUS_GQL_GRPC_ENDPOINT
|
||||
value: "litmusportal-server-service.litmus.svc.cluster.local"
|
||||
- name: LITMUS_GQL_GRPC_PORT
|
||||
value: ":8000"
|
||||
resources:
|
||||
requests:
|
||||
memory: "250Mi"
|
||||
cpu: "225m"
|
||||
ephemeral-storage: "500Mi"
|
||||
limits:
|
||||
memory: "712Mi"
|
||||
cpu: "550m"
|
||||
ephemeral-storage: "1Gi"
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
- containerPort: 3030
|
||||
imagePullPolicy: Always
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-auth-server-service
|
||||
namespace: litmus
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: auth-server
|
||||
port: 9003
|
||||
targetPort: 3000
|
||||
- name: auth-rpc-server
|
||||
port: 3030
|
||||
targetPort: 3030
|
||||
selector:
|
||||
component: litmusportal-auth-server
|
||||
|
|
@ -0,0 +1,762 @@
|
|||
### RBAC Manifests
|
||||
## If SELF_AGENT="true" then these permissions are required to apply
|
||||
## https://github.com/litmuschaos/litmus/blob/master/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: argo-role-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [pods, pods/exec]
|
||||
verbs: [create, get, list, watch, update, patch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [get, watch, list]
|
||||
- apiGroups: [""]
|
||||
resources: [persistentvolumeclaims]
|
||||
verbs: [create, delete]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [workflows, workflows/finalizers]
|
||||
verbs: [get, list, watch, update, patch, delete, create]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources:
|
||||
[workflowtemplates, workflowtemplates/finalizers, workflowtasksets]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [workflowtaskresults]
|
||||
verbs: [list, watch, deletecollection]
|
||||
- apiGroups: [""]
|
||||
resources: [serviceaccounts]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [""]
|
||||
resources: [secrets]
|
||||
verbs: [get]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [cronworkflows, cronworkflows/finalizers]
|
||||
verbs: [get, list, watch, update, patch, delete]
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, patch]
|
||||
- apiGroups: [policy]
|
||||
resources: [poddisruptionbudgets]
|
||||
verbs: [create, get, delete]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: argo-rb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: argo-role-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: litmus-namespace-scope-for-litmusportal-server
|
||||
labels:
|
||||
app.kubernetes.io/name: litmus
|
||||
# provide unique instance-id if applicable
|
||||
# app.kubernetes.io/instance: litmus-abcxzy
|
||||
app.kubernetes.io/version: 3.0.0
|
||||
app.kubernetes.io/component: operator-role
|
||||
app.kubernetes.io/part-of: litmus
|
||||
app.kubernetes.io/managed-by: kubectl
|
||||
name: litmus-namespace-scope-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [replicationcontrollers, secrets]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, daemonsets, replicasets, statefulsets]
|
||||
verbs: [get, list, update]
|
||||
- apiGroups: [batch]
|
||||
resources: [jobs]
|
||||
verbs: [get, list, create, deletecollection]
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [rollouts]
|
||||
verbs: [get, list]
|
||||
- apiGroups: [""]
|
||||
resources: [pods, pods/exec, configmaps, events, services]
|
||||
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults]
|
||||
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
|
||||
- apiGroups: ["litmuschaos.io"]
|
||||
resources: ["chaosengines/finalizers"]
|
||||
verbs: ["update"]
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "create", "list", "update", "delete"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: litmus-namespace-scope-rb-for-litmusportal-server
|
||||
labels:
|
||||
app.kubernetes.io/name: litmus
|
||||
# provide unique instance-id if applicable
|
||||
# app.kubernetes.io/instance: litmus-abcxzy
|
||||
app.kubernetes.io/version: 3.0.0
|
||||
app.kubernetes.io/component: operator-rolebinding
|
||||
app.kubernetes.io/part-of: litmus
|
||||
app.kubernetes.io/managed-by: kubectl
|
||||
name: litmus-namespace-scope-rb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: litmus-namespace-scope-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/namespace/3a_agents_rbac.yaml
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: subscriber-role-for-litmusportal-server
|
||||
labels:
|
||||
name: subscriber-role-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps, secrets]
|
||||
verbs: [get, create, delete, update]
|
||||
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
- apiGroups: [""]
|
||||
resources: [pods, services]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosschedules, chaosresults]
|
||||
verbs: [get, list, create, delete, update, watch]
|
||||
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [get, list]
|
||||
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, daemonsets, replicasets, statefulsets]
|
||||
verbs: [get, list, delete, deletecollection]
|
||||
|
||||
- apiGroups: [argoproj.io]
|
||||
resources:
|
||||
[
|
||||
workflows,
|
||||
workflows/finalizers,
|
||||
workflowtemplates,
|
||||
workflowtemplates/finalizers,
|
||||
cronworkflows,
|
||||
cronworkflows/finalizers,
|
||||
rollouts,
|
||||
]
|
||||
verbs: [get, list, create, delete, update, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: subscriber-rb-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: subscriber-role-for-litmusportal-server
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: litmus-admin-role-for-litmusportal-server
|
||||
labels:
|
||||
name: litmus-admin-role-for-litmusportal-server
|
||||
rules:
|
||||
# ***************************************************************************************
|
||||
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
|
||||
# ***************************************************************************************
|
||||
|
||||
# The chaos operator watches the chaosengine resource and orchestartes the chaos experiment..
|
||||
## .. by creating the chaos-runner
|
||||
|
||||
# for creating and monitoring the chaos-runner pods
|
||||
- apiGroups: [""]
|
||||
resources: [pods, events]
|
||||
verbs: [create, delete, get, list, patch, update, deletecollection]
|
||||
|
||||
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
|
||||
- apiGroups: [""]
|
||||
resources: [secrets, configmaps]
|
||||
verbs: [get, list]
|
||||
|
||||
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
# for configuring and monitor the experiment job by chaos-runner pod
|
||||
- apiGroups: [batch]
|
||||
resources: [jobs]
|
||||
verbs: [create, list, get, delete, deletecollection]
|
||||
|
||||
# ********************************************************************
|
||||
# Permissions needed for creation and discovery of chaos experiments
|
||||
# ********************************************************************
|
||||
|
||||
# The helper pods are created by experiment to perform the actual chaos injection ...
|
||||
# ... for a period of chaos duration
|
||||
|
||||
# for creating and deleting the helper or target app pod and events by experiment
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [create, delete, deletecollection]
|
||||
|
||||
# for creating and monitoring the events for chaos operations
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [create, delete, get, list, patch, update, deletecollection]
|
||||
|
||||
# for monitoring the helper and target app pod
|
||||
- apiGroups: [""]
|
||||
resources: [pods]
|
||||
verbs: [get, list, patch, update]
|
||||
|
||||
# for creating and managing to execute comands inside target container
|
||||
- apiGroups: [""]
|
||||
resources: [pods/exec, pods/eviction, replicationcontrollers]
|
||||
verbs: [get, list, create]
|
||||
|
||||
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log]
|
||||
verbs: [get, list, watch]
|
||||
|
||||
# for creating and monitoring liveness services or monitoring target app services during chaos injection
|
||||
- apiGroups: [""]
|
||||
resources: [services]
|
||||
verbs: [create, delete, get, list, delete, deletecollection]
|
||||
|
||||
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, statefulsets]
|
||||
verbs: [list, get, patch, update, create, delete]
|
||||
|
||||
# for checking the app parent resources as replicasets and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [replicasets]
|
||||
verbs: [list, get]
|
||||
|
||||
# for checking the app parent resources as deamonsets and are eligible chaos candidates
|
||||
- apiGroups: [apps]
|
||||
resources: [daemonsets]
|
||||
verbs: [list, get, delete]
|
||||
|
||||
# for checking (openshift) app parent resources if they are eligible chaos candidates
|
||||
- apiGroups: [apps.openshift.io]
|
||||
resources: [deploymentconfigs]
|
||||
verbs: [list, get]
|
||||
|
||||
# for checking (argo) app parent resources if they are eligible chaos candidates
|
||||
- apiGroups: [argoproj.io]
|
||||
resources: [rollouts]
|
||||
verbs: [list, get]
|
||||
|
||||
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults]
|
||||
verbs: [create, list, get, patch, update, delete]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: litmus-admin-rb-for-litmusportal-server
|
||||
labels:
|
||||
name: litmus-admin-rb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: litmus-admin-role-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: chaos-role-for-litmusportal-server
|
||||
rules:
|
||||
# for managing the pods created by workflow controller to implement individual steps in the workflow
|
||||
- apiGroups: [""]
|
||||
resources: [pods, services]
|
||||
verbs: [create, get, watch, patch, delete, list]
|
||||
|
||||
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
|
||||
- apiGroups: [""]
|
||||
resources: [pods/log, secrets, configmaps]
|
||||
verbs: [get, watch, create, delete, patch]
|
||||
|
||||
# for creation & deletion of application in predefined workflows
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments, statefulsets]
|
||||
verbs: [get, watch, patch, create, delete]
|
||||
|
||||
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
|
||||
- apiGroups: [litmuschaos.io]
|
||||
resources: [chaosengines, chaosexperiments, chaosresults, chaosschedules]
|
||||
verbs: [create, list, get, patch, delete, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: chaos-rb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: chaos-role-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: event-tracker-role-for-litmusportal-server
|
||||
rules:
|
||||
- apiGroups: [eventtracker.litmuschaos.io]
|
||||
resources: [eventtrackerpolicies]
|
||||
verbs: [create, delete, get, list, patch, update, watch]
|
||||
- apiGroups: [eventtracker.litmuschaos.io]
|
||||
resources: [eventtrackerpolicies/status]
|
||||
verbs: [get, patch, update]
|
||||
- apiGroups: [""]
|
||||
resources: [pods, configmaps, secrets]
|
||||
verbs: [get, list, watch]
|
||||
- apiGroups: [extensions, apps]
|
||||
resources: [deployments, daemonsets, statefulsets]
|
||||
verbs: [get, list, watch]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: event-tracker-rb-for-litmusportal-server
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: event-tracker-role-for-litmusportal-server
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
# litmus-server-role is used by the litmusportal-server
|
||||
# If SELF_AGENT=false, then only litmus-server-role and litmus-server-rb are required.
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: litmus-server-role
|
||||
rules:
|
||||
- apiGroups: [networking.k8s.io, extensions]
|
||||
resources: [ingresses]
|
||||
verbs: [get]
|
||||
- apiGroups: [""]
|
||||
resources: [services, pods/log]
|
||||
verbs: [get, watch]
|
||||
- apiGroups: [apps]
|
||||
resources: [deployments]
|
||||
verbs: [create]
|
||||
- apiGroups: [""]
|
||||
resources: [configmaps]
|
||||
verbs: [get]
|
||||
- apiGroups: [""]
|
||||
resources: [serviceaccounts]
|
||||
verbs: [create]
|
||||
- apiGroups: [rbac.authorization.k8s.io]
|
||||
resources: [rolebindings, roles]
|
||||
verbs: [create]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: litmus-server-rb
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: litmus-server-role
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: litmus-server-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: litmus-server-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: litmus-portal-admin-secret
|
||||
stringData:
|
||||
JWT_SECRET: "litmus-portal@123"
|
||||
DB_USER: "root"
|
||||
DB_PASSWORD: "1234"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: litmus-portal-admin-config
|
||||
data:
|
||||
INFRA_SCOPE: namespace
|
||||
DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless.litmus.svc.cluster.local:27017,my-release-mongodb-1.my-release-mongodb-headless.litmus.svc.cluster.local:27017,my-release-mongodb-2.my-release-mongodb-headless.litmus.svc.cluster.local:27017/admin
|
||||
VERSION: "3.0.0"
|
||||
SKIP_SSL_VERIFY: "false"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: litmusportal-frontend-nginx-configuration
|
||||
data:
|
||||
default.conf: |
|
||||
pid /tmp/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
client_body_temp_path /tmp/client_temp;
|
||||
proxy_temp_path /tmp/proxy_temp_path;
|
||||
fastcgi_temp_path /tmp/fastcgi_temp;
|
||||
uwsgi_temp_path /tmp/uwsgi_temp;
|
||||
scgi_temp_path /tmp/scgi_temp;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
server {
|
||||
listen 8185 default_server;
|
||||
root /opt/chaos;
|
||||
|
||||
location /health {
|
||||
return 200;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_http_version 1.1;
|
||||
add_header Cache-Control "no-cache";
|
||||
try_files $uri /index.html;
|
||||
autoindex on;
|
||||
}
|
||||
|
||||
# redirect server error pages to the static page /50x.html
|
||||
#
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
|
||||
location /auth/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-auth-server-service:9003/";
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-server-service:9002/";
|
||||
}
|
||||
|
||||
location /ws/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_pass "http://litmusportal-server-service:9002/";
|
||||
}
|
||||
}
|
||||
}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-frontend
|
||||
labels:
|
||||
component: litmusportal-frontend
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-frontend
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-frontend
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: litmusportal-frontend
|
||||
image: litmuschaos/litmusportal-frontend:3.0.0
|
||||
# securityContext:
|
||||
# runAsUser: 2000
|
||||
# allowPrivilegeEscalation: false
|
||||
# runAsNonRoot: true
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
- containerPort: 8185
|
||||
volumeMounts:
|
||||
- name: nginx-config
|
||||
mountPath: /etc/nginx/nginx.conf
|
||||
subPath: nginx.conf
|
||||
resources:
|
||||
requests:
|
||||
memory: "250Mi"
|
||||
cpu: "125m"
|
||||
ephemeral-storage: "500Mi"
|
||||
limits:
|
||||
memory: "512Mi"
|
||||
cpu: "550m"
|
||||
ephemeral-storage: "1Gi"
|
||||
volumes:
|
||||
- name: nginx-config
|
||||
configMap:
|
||||
name: litmusportal-frontend-nginx-configuration
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-frontend-service
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: http
|
||||
port: 9091
|
||||
targetPort: 8185
|
||||
selector:
|
||||
component: litmusportal-frontend
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-server
|
||||
labels:
|
||||
component: litmusportal-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-server
|
||||
spec:
|
||||
volumes:
|
||||
- name: gitops-storage
|
||||
emptyDir: {}
|
||||
- name: hub-storage
|
||||
emptyDir: {}
|
||||
containers:
|
||||
- name: graphql-server
|
||||
image: litmuschaos/litmusportal-server:3.0.0
|
||||
volumeMounts:
|
||||
- mountPath: /tmp/gitops
|
||||
name: gitops-storage
|
||||
- mountPath: /tmp/version
|
||||
name: hub-storage
|
||||
securityContext:
|
||||
runAsUser: 2000
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
env:
|
||||
- name: LITMUS_PORTAL_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
- name: SELF_AGENT_NODE_SELECTOR
|
||||
value: ""
|
||||
- name: SELF_AGENT_TOLERATIONS
|
||||
value: ""
|
||||
# if self-signed certificate are used pass the base64 tls certificate, to allow agents to use tls for communication
|
||||
- name: TLS_CERT_B64
|
||||
value: ""
|
||||
- name: CHAOS_CENTER_SCOPE
|
||||
value: "namespace"
|
||||
- name: INFRA_DEPLOYMENTS
|
||||
value: '["app=chaos-exporter", "name=chaos-operator", "app=workflow-controller"]'
|
||||
- name: SERVER_SERVICE_NAME
|
||||
value: "litmusportal-server-service"
|
||||
- name: CHAOS_CENTER_UI_ENDPOINT
|
||||
value: ""
|
||||
- name: SUBSCRIBER_IMAGE
|
||||
value: "litmuschaos/litmusportal-subscriber:3.0.0"
|
||||
- name: EVENT_TRACKER_IMAGE
|
||||
value: "litmuschaos/litmusportal-event-tracker:3.0.0"
|
||||
- name: ARGO_WORKFLOW_CONTROLLER_IMAGE
|
||||
value: "litmuschaos/workflow-controller:v3.3.1"
|
||||
- name: ARGO_WORKFLOW_EXECUTOR_IMAGE
|
||||
value: "litmuschaos/argoexec:v3.3.1"
|
||||
- name: LITMUS_CHAOS_OPERATOR_IMAGE
|
||||
value: "litmuschaos/chaos-operator:3.0.0-beta10"
|
||||
- name: LITMUS_CHAOS_RUNNER_IMAGE
|
||||
value: "litmuschaos/chaos-runner:3.0.0-beta10"
|
||||
- name: LITMUS_CHAOS_EXPORTER_IMAGE
|
||||
value: "litmuschaos/chaos-exporter:3.0.0-beta10"
|
||||
- name: CONTAINER_RUNTIME_EXECUTOR
|
||||
value: "k8sapi"
|
||||
- name: DEFAULT_HUB_BRANCH_NAME
|
||||
value: "master"
|
||||
- name: LITMUS_AUTH_GRPC_ENDPOINT
|
||||
value: "litmusportal-auth-server-service"
|
||||
- name: LITMUS_AUTH_GRPC_PORT
|
||||
value: ":3030"
|
||||
- name: WORKFLOW_HELPER_IMAGE_VERSION
|
||||
value: "3.0.0-beta10"
|
||||
- name: REMOTE_HUB_MAX_SIZE
|
||||
value: "5000000"
|
||||
- name: INGRESS
|
||||
value: "false"
|
||||
- name: INGRESS_NAME
|
||||
value: "litmus-ingress"
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
- containerPort: 8000
|
||||
imagePullPolicy: Always
|
||||
resources:
|
||||
requests:
|
||||
memory: "250Mi"
|
||||
cpu: "225m"
|
||||
ephemeral-storage: "500Mi"
|
||||
limits:
|
||||
memory: "712Mi"
|
||||
cpu: "550m"
|
||||
ephemeral-storage: "1Gi"
|
||||
serviceAccountName: litmus-server-account
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-server-service
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: graphql-server
|
||||
port: 9002
|
||||
targetPort: 8080
|
||||
- name: graphql-rpc-server
|
||||
port: 8000
|
||||
targetPort: 8000
|
||||
selector:
|
||||
component: litmusportal-server
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: litmusportal-auth-server
|
||||
labels:
|
||||
component: litmusportal-auth-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
component: litmusportal-auth-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
component: litmusportal-auth-server
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- name: auth-server
|
||||
image: litmuschaos/litmusportal-auth-server:3.0.0
|
||||
securityContext:
|
||||
runAsUser: 2000
|
||||
allowPrivilegeEscalation: false
|
||||
runAsNonRoot: true
|
||||
readOnlyRootFilesystem: true
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
env:
|
||||
- name: STRICT_PASSWORD_POLICY
|
||||
value: "false"
|
||||
- name: ADMIN_USERNAME
|
||||
value: "admin"
|
||||
- name: ADMIN_PASSWORD
|
||||
value: "litmus"
|
||||
- name: LITMUS_GQL_GRPC_ENDPOINT
|
||||
value: "litmusportal-server-service"
|
||||
- name: LITMUS_GQL_GRPC_PORT
|
||||
value: ":8000"
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
- containerPort: 3030
|
||||
imagePullPolicy: Always
|
||||
resources:
|
||||
requests:
|
||||
memory: "250Mi"
|
||||
cpu: "125m"
|
||||
ephemeral-storage: "500Mi"
|
||||
limits:
|
||||
memory: "712Mi"
|
||||
cpu: "550m"
|
||||
ephemeral-storage: "1Gi"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: litmusportal-auth-server-service
|
||||
spec:
|
||||
type: NodePort
|
||||
ports:
|
||||
- name: auth-server
|
||||
port: 9003
|
||||
targetPort: 3000
|
||||
- name: auth-rpc-server
|
||||
port: 3030
|
||||
targetPort: 3030
|
||||
selector:
|
||||
component: litmusportal-auth-server
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,19 @@
|
|||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: upgrade-agent
|
||||
spec:
|
||||
ttlSecondsAfterFinished: 60
|
||||
backoffLimit: 0
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: upgrade-agent
|
||||
image: litmuschaos/upgrade-agent-cp:3.0.0
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: litmus-portal-admin-config
|
||||
- secretRef:
|
||||
name: litmus-portal-admin-secret
|
||||
imagePullPolicy: Always
|
||||
restartPolicy: Never
|
||||
Loading…
Reference in New Issue