From 4f33d47721d2fd174600bcc6e0c737266b34848f Mon Sep 17 00:00:00 2001 From: alikdell <52920355+alikdell@users.noreply.github.com> Date: Tue, 21 May 2024 11:23:34 -0400 Subject: [PATCH] chart/csm-authorization support authorization-controller deployment in cluster (#429) * add support for authorization-controller deployment in cluster * add support for authorization-controller deployment in cluster --- .../templates/authorization-controller.yaml | 111 ++++++++++++++++++ charts/csm-authorization/values.yaml | 9 +- 2 files changed, 116 insertions(+), 4 deletions(-) create mode 100644 charts/csm-authorization/templates/authorization-controller.yaml diff --git a/charts/csm-authorization/templates/authorization-controller.yaml b/charts/csm-authorization/templates/authorization-controller.yaml new file mode 100644 index 00000000..027a46e8 --- /dev/null +++ b/charts/csm-authorization/templates/authorization-controller.yaml @@ -0,0 +1,111 @@ +# Controller +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authorization-controller + namespace: {{ include "custom.namespace" . }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: authorization-controller +rules: + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmroles/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["csmtenants/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages/status"] + verbs: ["get", "update", "patch"] + - apiGroups: ["csm-authorization.storage.dell.com"] + resources: ["storages/finalizers"] + verbs: ["update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "update", "get", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: authorization-controller +subjects: + - kind: ServiceAccount + name: authorization-controller + namespace: {{ include "custom.namespace" . }} +roleRef: + kind: ClusterRole + name: authorization-controller + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authorization-controller + namespace: {{ include "custom.namespace" . }} + labels: + app: authorization-controller +spec: + replicas: 1 + selector: + matchLabels: + app: authorization-controller + template: + metadata: + labels: + app: authorization-controller + spec: + serviceAccountName: authorization-controller + containers: + - name: authorization-controller + image: {{ required "Must provide the controller image." .Values.authorization.images.authorizationController }} + imagePullPolicy: Always + args: + - "--authorization-namespace={{ .Release.Namespace }}" + - "--health-probe-bind-address=:8081" + - "--leader-elect=true" + - "--tenant-service-address=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--storage-service-address=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--role-service-address=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + env: + - name: NAMESPACE + value: {{ include "custom.namespace" . }} + ports: + - containerPort: 50052 + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: authorization-controller + namespace: {{ include "custom.namespace" . }} +spec: + selector: + app: authorization-controller + ports: + - port: 50052 + targetPort: 50052 + name: http +--- diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml index 6dcd6b70..564b19a4 100644 --- a/charts/csm-authorization/values.yaml +++ b/charts/csm-authorization/values.yaml @@ -17,10 +17,11 @@ cert-manager: authorization: # images to use in installation images: - proxyService: dellemc/csm-authorization-proxy:v1.11.0 - tenantService: dellemc/csm-authorization-tenant:v1.11.0 - roleService: dellemc/csm-authorization-role:v1.11.0 - storageService: dellemc/csm-authorization-storage:v1.11.0 + proxyService: dellemc/csm-authorization-proxy:v1.10.0 + tenantService: dellemc/csm-authorization-tenant:v1.10.0 + roleService: dellemc/csm-authorization-role:v1.10.0 + storageService: dellemc/csm-authorization-storage:v1.10.0 + authorizationController: dellemc/csm-authorization-controller:v2.0.0-alpha opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11