From f79a3d7a947463863fb26dec98507e2aa817aaec Mon Sep 17 00:00:00 2001 From: Rokibul Hasan Date: Wed, 5 Jun 2024 20:13:01 +0600 Subject: [PATCH] Update cluster-auth charts (#17) Signed-off-by: Rokibul Hasan --- apis/installer/v1alpha1/cluster_auth_types.go | 10 ++++++---- charts/cluster-auth/README.md | 2 ++ .../cluster-auth/templates/cluster-role.yaml | 6 ------ charts/cluster-auth/templates/deployment.yaml | 20 ++++++++++++++++++- charts/cluster-auth/templates/namespace.yaml | 4 ++++ .../cluster-auth/values.openapiv3_schema.yaml | 6 ++++++ charts/cluster-auth/values.yaml | 6 ++++++ 7 files changed, 43 insertions(+), 11 deletions(-) create mode 100644 charts/cluster-auth/templates/namespace.yaml diff --git a/apis/installer/v1alpha1/cluster_auth_types.go b/apis/installer/v1alpha1/cluster_auth_types.go index aeed8f59..b4cdd63b 100644 --- a/apis/installer/v1alpha1/cluster_auth_types.go +++ b/apis/installer/v1alpha1/cluster_auth_types.go @@ -73,10 +73,12 @@ type ClusterAuthSpec struct { // PodSecurityContext holds pod-level security attributes and common container settings. // Optional: Defaults to empty. See type description for default values of each field. // +optional - PodSecurityContext *core.PodSecurityContext `json:"podSecurityContext"` - ServiceAccount ServiceAccountSpec `json:"serviceAccount"` - Monitoring Monitoring `json:"monitoring"` - ApiServer ApiServerSpec `json:"apiServer"` + PodSecurityContext *core.PodSecurityContext `json:"podSecurityContext"` + ServiceAccount ServiceAccountSpec `json:"serviceAccount"` + Monitoring Monitoring `json:"monitoring"` + ApiServer ApiServerSpec `json:"apiServer"` + HubKubeconfigSecretName string `json:"hubKubeconfigSecretName"` + ClusterName string `json:"clusterName"` } type ImageRef struct { diff --git a/charts/cluster-auth/README.md b/charts/cluster-auth/README.md index 880446f2..72bcb5c5 100644 --- a/charts/cluster-auth/README.md +++ b/charts/cluster-auth/README.md @@ -72,6 +72,8 @@ The following table lists the configurable parameters of the `cluster-auth-agent | monitoring.agent | Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin") | prometheus.io/operator | | monitoring.serviceMonitor.labels | Specify the labels for ServiceMonitor. Prometheus crd will select ServiceMonitor using these labels. Only usable when monitoring agent is `prometheus.io/operator`. | {} | | apiServer.healthcheck.enabled | | false | +| hubKubeconfigSecretName | Name of OCM Hub Kubeconfig secret | "" | +| clusterName | We need to pass the cluster name because the OCM-MC host cluster doesn't have Klusterlet object. | "" | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/cluster-auth/templates/cluster-role.yaml b/charts/cluster-auth/templates/cluster-role.yaml index e0d06962..7c7d4cc7 100644 --- a/charts/cluster-auth/templates/cluster-role.yaml +++ b/charts/cluster-auth/templates/cluster-role.yaml @@ -20,9 +20,3 @@ rules: - roles - rolebindings verbs: ["*"] -# ocm cluster name detection -- apiGroups: - - operator.open-cluster-management.io - resources: - - klusterlets - verbs: ["get", "list", "watch"] diff --git a/charts/cluster-auth/templates/deployment.yaml b/charts/cluster-auth/templates/deployment.yaml index 332c3743..2b1c8e39 100644 --- a/charts/cluster-auth/templates/deployment.yaml +++ b/charts/cluster-auth/templates/deployment.yaml @@ -4,7 +4,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "cluster-auth.fullname" . }} + name: cluster-auth-agent namespace: {{ .Release.Namespace }} labels: {{- include "cluster-auth.labels" . | nindent 4 }} @@ -37,6 +37,12 @@ spec: args: - agent - --v={{ .Values.logLevel }} + {{- if .Values.hubKubeconfigSecretName }} + - --hub-kubeconfig=/var/run/secrets/ocm/auth/kubeconfig + {{- end }} + {{- if .Values.clusterName }} + - --cluster-name={{ .Values.clusterName }} + {{- end }} ports: - containerPort: 8080 env: @@ -64,6 +70,18 @@ spec: {{- end }} resources: {{- toYaml .Values.image.resources | nindent 10 }} + volumeMounts: + {{- if .Values.hubKubeconfigSecretName }} + - mountPath: /var/run/secrets/ocm/auth + name: ocm-auth + {{- end }} + volumes: + {{- if .Values.hubKubeconfigSecretName }} + - name: ocm-auth + secret: + defaultMode: 420 + secretName: {{ .Values.hubKubeconfigSecretName }} + {{- end }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- if or .Values.tolerations $criticalAddon }} diff --git a/charts/cluster-auth/templates/namespace.yaml b/charts/cluster-auth/templates/namespace.yaml new file mode 100644 index 00000000..67da8290 --- /dev/null +++ b/charts/cluster-auth/templates/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Namespace }} diff --git a/charts/cluster-auth/values.openapiv3_schema.yaml b/charts/cluster-auth/values.openapiv3_schema.yaml index 49bace2a..b1f301c5 100644 --- a/charts/cluster-auth/values.openapiv3_schema.yaml +++ b/charts/cluster-auth/values.openapiv3_schema.yaml @@ -420,10 +420,14 @@ properties: required: - healthcheck type: object + clusterName: + type: string criticalAddon: type: boolean fullnameOverride: type: string + hubKubeconfigSecretName: + type: string image: properties: registry: @@ -667,6 +671,8 @@ properties: type: array required: - apiServer +- clusterName +- hubKubeconfigSecretName - image - imagePullPolicy - monitoring diff --git a/charts/cluster-auth/values.yaml b/charts/cluster-auth/values.yaml index 8df25f81..2071c888 100644 --- a/charts/cluster-auth/values.yaml +++ b/charts/cluster-auth/values.yaml @@ -78,3 +78,9 @@ monitoring: apiServer: healthcheck: enabled: false + +# Name of OCM Hub Kubeconfig secret +hubKubeconfigSecretName: "" + +# We need to pass the cluster name because the OCM-MC host cluster doesn't have Klusterlet object. +clusterName: ""