litmuschaos
/
litmus
mirror of https://github.com/litmuschaos/litmus.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
litmus/mkdocs/docs/3.0.0/litmus-cluster-scope-3.0.0....

803 lines
25 KiB
YAML
Raw Blame History

### RBAC Manifests
## If SELF_AGENT="true" then these permissions are required to apply
## https://github.com/litmuschaos/litmus/blob/master/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: argo-cr-for-litmusportal-server
rules:
- apiGroups: [""]
resources: [pods, pods/exec]
verbs: [create, get, list, watch, update, patch, delete]
- apiGroups: [""]
resources: [configmaps]
verbs: [get, watch, list]
- apiGroups: [""]
resources: [persistentvolumeclaims]
verbs: [create, delete]
- apiGroups: [argoproj.io]
resources: [workflows, workflows/finalizers]
verbs: [get, list, watch, update, patch, delete, create]
- apiGroups: [argoproj.io]
resources:
[
workflowtemplates,
workflowtemplates/finalizers,
clusterworkflowtemplates,
clusterworkflowtemplates/finalizers,
workflowtasksets,
]
verbs: [get, list, watch]
- apiGroups: [argoproj.io]
resources: [workflowtaskresults]
verbs: [list, watch, deletecollection]
- apiGroups: [""]
resources: [serviceaccounts]
verbs: [get, list]
- apiGroups: [argoproj.io]
resources: [cronworkflows, cronworkflows/finalizers]
verbs: [get, list, watch, update, patch, delete]
- apiGroups: [""]
resources: [events]
verbs: [create, patch]
- apiGroups: [policy]
resources: [poddisruptionbudgets]
verbs: [create, get, delete]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argo-crb-for-litmusportal-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: argo-cr-for-litmusportal-server
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/2b_litmus_rbac.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-cluster-scope-for-litmusportal-server
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: 3.0.0
app.kubernetes.io/component: operator-clusterrole
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-cluster-scope-for-litmusportal-server
rules:
- apiGroups: [""]
resources: [replicationcontrollers, secrets]
verbs: [get, list]
- apiGroups: [apps.openshift.io]
resources: [deploymentconfigs]
verbs: [get, list]
- apiGroups: [apps]
resources: [deployments, daemonsets, replicasets, statefulsets]
verbs: [get, list]
- apiGroups: [batch]
resources: [jobs]
verbs: [get, list, deletecollection]
- apiGroups: [argoproj.io]
resources: [rollouts]
verbs: [get, list]
- apiGroups: [""]
resources: [pods, configmaps, events, services]
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
- apiGroups: [litmuschaos.io]
resources: [chaosengines, chaosexperiments, chaosresults]
verbs: [get, create, update, patch, delete, list, watch, deletecollection]
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [list, get]
- apiGroups: ["litmuschaos.io"]
resources: ["chaosengines/finalizers"]
verbs: ["update"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "create", "list", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-cluster-scope-crb-for-litmusportal-server
labels:
app.kubernetes.io/name: litmus
# provide unique instance-id if applicable
# app.kubernetes.io/instance: litmus-abcxzy
app.kubernetes.io/version: 3.0.0
app.kubernetes.io/component: operator-clusterrolebinding
app.kubernetes.io/part-of: litmus
app.kubernetes.io/managed-by: kubectl
name: litmus-cluster-scope-crb-for-litmusportal-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-cluster-scope-for-litmusportal-server
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
#these permissions are required to apply https://github.com/litmuschaos/litmus/blob/master/litmus-portal/graphql-server/manifests/cluster/3a_agents_rbac.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-admin-cr-for-litmusportal-server
labels:
name: litmus-admin-cr-for-litmusportal-server
rules:
# ***************************************************************************************
# Permissions needed for preparing and monitor the chaos resources by chaos-runner
# ***************************************************************************************
# The chaos operator watches the chaosengine resource and orchestartes the chaos experiment..
## .. by creating the chaos-runner
# for creating and monitoring the chaos-runner pods
- apiGroups: [""]
resources: [pods, events]
verbs: [create, delete, get, list, patch, update, deletecollection]
# for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
- apiGroups: [""]
resources: [secrets, configmaps]
verbs: [get, list]
# for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
- apiGroups: [""]
resources: [pods/log]
verbs: [get, list, watch]
# for configuring and monitor the experiment job by chaos-runner pod
- apiGroups: [batch]
resources: [jobs]
verbs: [create, list, get, delete, deletecollection]
# ********************************************************************
# Permissions needed for creation and discovery of chaos experiments
# ********************************************************************
# The helper pods are created by experiment to perform the actual chaos injection ...
# ... for a period of chaos duration
# for creating and deleting the helper or target app pod and events by experiment
- apiGroups: [""]
resources: [pods]
verbs: [create, delete, deletecollection]
# for creating and monitoring the events for chaos operations
- apiGroups: [""]
resources: [events]
verbs: [create, delete, get, list, patch, update, deletecollection]
# for monitoring the helper and target app pod
- apiGroups: [""]
resources: [pods]
verbs: [get, list, patch, update]
# for creating and managing to execute comands inside target container
- apiGroups: [""]
resources: [pods/exec, pods/eviction, replicationcontrollers]
verbs: [get, list, create]
# for tracking & getting logs of the pods created by experiment pod to implement individual steps in the experiment
- apiGroups: [""]
resources: [pods/log]
verbs: [get, list, watch]
# for creating and monitoring liveness services or monitoring target app services during chaos injection
- apiGroups: [""]
resources: [services]
verbs: [create, delete, get, list, delete, deletecollection]
# for checking the app parent resources as deployments or sts and are eligible chaos candidates
- apiGroups: [apps]
resources: [deployments, statefulsets]
verbs: [list, get, patch, update, create, delete]
# for checking the app parent resources as replicasets and are eligible chaos candidates
- apiGroups: [apps]
resources: [replicasets]
verbs: [list, get]
# for checking the app parent resources as deamonsets and are eligible chaos candidates
- apiGroups: [apps]
resources: [daemonsets]
verbs: [list, get, delete]
# for checking (openshift) app parent resources if they are eligible chaos candidates
- apiGroups: [apps.openshift.io]
resources: [deploymentconfigs]
verbs: [list, get]
# for checking (argo) app parent resources if they are eligible chaos candidates
- apiGroups: [argoproj.io]
resources: [rollouts]
verbs: [list, get]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: [litmuschaos.io]
resources: [chaosengines, chaosexperiments, chaosresults]
verbs: [create, list, get, patch, update, delete]
# for experiment to perform node status checks and other node level operations like taint, drain in the experiment.
- apiGroups: [""]
resources: [nodes]
verbs: [patch, get, list, update]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-admin-crb-for-litmusportal-server
labels:
name: litmus-admin-crb-for-litmusportal-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-admin-cr-for-litmusportal-server
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: chaos-cr-for-litmusportal-server
rules:
# for managing the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: [""]
resources: [pods, services, namespaces]
verbs: [create, get, watch, patch, delete, list]
# for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
- apiGroups: [""]
resources: [pods/log, secrets, configmaps]
verbs: [get, watch, create, delete, patch]
# for creation & deletion of application in predefined workflows
- apiGroups: [apps]
resources: [deployments, statefulsets]
verbs: [get, watch, patch, create, delete]
# for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
- apiGroups: [litmuschaos.io]
resources: [chaosengines, chaosexperiments, chaosresults, chaosschedules]
verbs: [create, list, get, patch, delete, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: chaos-crb-for-litmusportal-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: chaos-cr-for-litmusportal-server
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: subscriber-cr-for-litmusportal-server
namespace: litmus
labels:
name: subscriber-cr-for-litmusportal-server
rules:
- apiGroups: [""]
resources: [configmaps, secrets]
verbs: [get, create, delete, update]
- apiGroups: [""]
resources: [pods/log]
verbs: [get, list, watch]
- apiGroups: [""]
resources: [pods, namespaces, nodes, services]
verbs: [get, list, watch]
- apiGroups: [litmuschaos.io]
resources: [chaosengines, chaosschedules, chaosresults]
verbs: [get, list, create, delete, update, watch]
- apiGroups: [apps.openshift.io]
resources: [deploymentconfigs]
verbs: [get, list]
- apiGroups: [apps]
resources: [deployments, daemonsets, replicasets, statefulsets]
verbs: [get, list, delete, deletecollection]
- apiGroups: [argoproj.io]
resources:
[
workflows,
workflows/finalizers,
workflowtemplates,
workflowtemplates/finalizers,
cronworkflows,
cronworkflows/finalizers,
clusterworkflowtemplates,
clusterworkflowtemplates/finalizers,
rollouts,
]
verbs: [get, list, create, delete, update, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: subscriber-crb-for-litmusportal-server
namespace: litmus
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
roleRef:
kind: ClusterRole
name: subscriber-cr-for-litmusportal-server
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: event-tracker-cr-for-litmusportal-server
rules:
- apiGroups: [eventtracker.litmuschaos.io]
resources: [eventtrackerpolicies]
verbs: [create, delete, get, list, patch, update, watch]
- apiGroups: [eventtracker.litmuschaos.io]
resources: [eventtrackerpolicies/status]
verbs: [get, patch, update]
- apiGroups: ["", extensions, apps]
resources:
[deployments, daemonsets, statefulsets, pods, configmaps, secrets]
verbs: [get, list, watch]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: event-tracker-crb-for-litmusportal-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: event-tracker-cr-for-litmusportal-server
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
# litmus-server-cr is used by the litmusportal-server
# If SELF_AGENT=false, then only litmus-server-cr and litmus-server-crb are required.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: litmus-server-cr
rules:
- apiGroups: [networking.k8s.io, extensions]
resources: [ingresses]
verbs: [get]
- apiGroups: [""]
resources: [services, nodes, pods/log]
verbs: [get, watch]
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [create]
- apiGroups: [apps]
resources: [deployments]
verbs: [create]
- apiGroups: [""]
resources: [configmaps]
verbs: [get]
- apiGroups: [""]
resources: [serviceaccounts]
verbs: [create]
- apiGroups: [rbac.authorization.k8s.io]
resources: [rolebindings, roles, clusterrolebindings, clusterroles]
verbs: [create]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: litmus-server-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: litmus-server-cr
subjects:
- kind: ServiceAccount
name: litmus-server-account
namespace: litmus
## Control plane manifests
---
apiVersion: v1
kind: Namespace
metadata:
name: litmus
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: litmus-server-account
namespace: litmus
---
apiVersion: v1
kind: Secret
metadata:
name: litmus-portal-admin-secret
namespace: litmus
stringData:
JWT_SECRET: "litmus-portal@123"
DB_USER: "root"
DB_PASSWORD: "1234"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: litmus-portal-admin-config
namespace: litmus
data:
DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless:27017,my-release-mongodb-1.my-release-mongodb-headless:27017,my-release-mongodb-2.my-release-mongodb-headless:27017/admin
VERSION: "3.0.0"
SKIP_SSL_VERIFY: "false"
# Configurations if you are using dex for OAuth
DEX_ENABLED: "false"
OIDC_ISSUER: "http://<Your Domain>:32000"
DEX_OAUTH_CALLBACK_URL: "http://<litmus-portal frontend exposed URL>:8080/auth/dex/callback"
DEX_OAUTH_CLIENT_ID: "LitmusPortalAuthBackend"
DEX_OAUTH_CLIENT_SECRET: "ZXhhbXBsZS1hcHAtc2VjcmV0"
OAuthJwtSecret: "litmus-oauth@123"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: litmusportal-frontend-nginx-configuration
namespace: litmus
data:
nginx.conf: |
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
gzip on;
gzip_disable "msie6";
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
server {
listen 8185 default_server;
root /opt/chaos;
location /health {
return 200;
}
location / {
proxy_http_version 1.1;
add_header Cache-Control "no-cache";
try_files $uri /index.html;
autoindex on;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location /auth/ {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass "http://litmusportal-auth-server-service:9003/";
}
location /api/ {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass "http://litmusportal-server-service:9002/";
}
location /ws/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass "http://litmusportal-server-service:9002/";
}
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: litmusportal-frontend
namespace: litmus
labels:
component: litmusportal-frontend
spec:
replicas: 1
selector:
matchLabels:
component: litmusportal-frontend
template:
metadata:
labels:
component: litmusportal-frontend
spec:
automountServiceAccountToken: false
containers:
- name: litmusportal-frontend
image: litmuschaos/litmusportal-frontend:3.0.0
imagePullPolicy: Always
# securityContext:
# runAsUser: 2000
# allowPrivilegeEscalation: false
# runAsNonRoot: true
ports:
- containerPort: 8185
resources:
requests:
memory: "150Mi"
cpu: "125m"
ephemeral-storage: "500Mi"
limits:
memory: "512Mi"
cpu: "550m"
ephemeral-storage: "1Gi"
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
volumes:
- name: nginx-config
configMap:
name: litmusportal-frontend-nginx-configuration
---
apiVersion: v1
kind: Service
metadata:
name: litmusportal-frontend-service
namespace: litmus
spec:
type: NodePort
ports:
- name: http
port: 9091
targetPort: 8185
selector:
component: litmusportal-frontend
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: litmusportal-server
namespace: litmus
labels:
component: litmusportal-server
spec:
replicas: 1
selector:
matchLabels:
component: litmusportal-server
template:
metadata:
labels:
component: litmusportal-server
spec:
volumes:
- name: gitops-storage
emptyDir: {}
- name: hub-storage
emptyDir: {}
containers:
- name: graphql-server
image: litmuschaos/litmusportal-server:3.0.0
volumeMounts:
- mountPath: /tmp/
name: gitops-storage
- mountPath: /tmp/version
name: hub-storage
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
envFrom:
- configMapRef:
name: litmus-portal-admin-config
- secretRef:
name: litmus-portal-admin-secret
env:
# if self-signed certificate are used pass the k8s tls secret name created in portal ns, to allow agents to use tls for communication
- name: TLS_SECRET_NAME
value: ""
- name: LITMUS_PORTAL_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CHAOS_CENTER_SCOPE
value: "cluster"
- name: SUBSCRIBER_IMAGE
value: "litmuschaos/litmusportal-subscriber:3.0.0"
- name: EVENT_TRACKER_IMAGE
value: "litmuschaos/litmusportal-event-tracker:3.0.0"
- name: ARGO_WORKFLOW_CONTROLLER_IMAGE
value: "litmuschaos/workflow-controller:v3.3.1"
- name: ARGO_WORKFLOW_EXECUTOR_IMAGE
value: "litmuschaos/argoexec:v3.3.1"
- name: LITMUS_CHAOS_OPERATOR_IMAGE
value: "litmuschaos/chaos-operator:3.0.0"
- name: LITMUS_CHAOS_RUNNER_IMAGE
value: "litmuschaos/chaos-runner:3.0.0"
- name: LITMUS_CHAOS_EXPORTER_IMAGE
value: "litmuschaos/chaos-exporter:3.0.0"
- name: SERVER_SERVICE_NAME
value: "litmusportal-server-service"
- name: INFRA_DEPLOYMENTS
value: '["app=chaos-exporter", "name=chaos-operator", "app=workflow-controller", "app=event-tracker"]'
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CHAOS_CENTER_UI_ENDPOINT
value: ""
- name: INGRESS
value: "false"
- name: INGRESS_NAME
value: "litmus-ingress"
- name: CONTAINER_RUNTIME_EXECUTOR
value: "k8sapi"
- name: DEFAULT_HUB_BRANCH_NAME
value: "v3.0.x"
- name: LITMUS_AUTH_GRPC_ENDPOINT
value: "litmusportal-auth-server-service"
- name: LITMUS_AUTH_GRPC_PORT
value: ":3030"
- name: WORKFLOW_HELPER_IMAGE_VERSION
value: "3.0.0"
- name: REMOTE_HUB_MAX_SIZE
value: "5000000"
- name: INFRA_COMPATIBLE_VERSIONS
value: '["3.0.0"]'
ports:
- containerPort: 8080
- containerPort: 8000
imagePullPolicy: Always
resources:
requests:
memory: "250Mi"
cpu: "225m"
ephemeral-storage: "500Mi"
limits:
memory: "712Mi"
cpu: "550m"
ephemeral-storage: "1Gi"
serviceAccountName: litmus-server-account
---
apiVersion: v1
kind: Service
metadata:
name: litmusportal-server-service
namespace: litmus
spec:
type: NodePort
ports:
- name: graphql-server
port: 9002
targetPort: 8080
- name: graphql-rpc-server
port: 8000
targetPort: 8000
selector:
component: litmusportal-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: litmusportal-auth-server
namespace: litmus
labels:
component: litmusportal-auth-server
spec:
replicas: 1
selector:
matchLabels:
component: litmusportal-auth-server
template:
metadata:
labels:
component: litmusportal-auth-server
spec:
automountServiceAccountToken: false
containers:
- name: auth-server
image: litmuschaos/litmusportal-auth-server:3.0.0
securityContext:
runAsUser: 2000
allowPrivilegeEscalation: false
runAsNonRoot: true
readOnlyRootFilesystem: true
envFrom:
- configMapRef:
name: litmus-portal-admin-config
- secretRef:
name: litmus-portal-admin-secret
env:
- name: STRICT_PASSWORD_POLICY
value: "false"
- name: ADMIN_USERNAME
value: "admin"
- name: ADMIN_PASSWORD
value: "litmus"
- name: LITMUS_GQL_GRPC_ENDPOINT
value: "litmusportal-server-service"
- name: LITMUS_GQL_GRPC_PORT
value: ":8000"
resources:
requests:
memory: "250Mi"
cpu: "225m"
ephemeral-storage: "500Mi"
limits:
memory: "712Mi"
cpu: "550m"
ephemeral-storage: "1Gi"
ports:
- containerPort: 3000
- containerPort: 3030
imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: litmusportal-auth-server-service
namespace: litmus
spec:
type: NodePort
ports:
- name: auth-server
port: 9003
targetPort: 3000
- name: auth-rpc-server
port: 3030
targetPort: 3030
selector:
component: litmusportal-auth-server
Reference in New Issue View Git Blame Copy Permalink