diff --git a/charts/lagoon-remote/Chart.yaml b/charts/lagoon-remote/Chart.yaml index b46d57ef..e050a684 100644 --- a/charts/lagoon-remote/Chart.yaml +++ b/charts/lagoon-remote/Chart.yaml @@ -19,7 +19,7 @@ type: application # This is the chart version. This version number should be incremented each # time you make changes to the chart and its templates, including the app # version. -version: 0.81.0 +version: 0.82.0 dependencies: - name: lagoon-build-deploy @@ -44,7 +44,5 @@ dependencies: # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: artifacthub.io/changes: | - - kind: changed - description: update lagoon-ssh-portal to v0.30.1 - - kind: changed - description: update NATS chart dependency to v0.19.17 + - kind: added + description: add lagoon-remote-ssh-core resources diff --git a/charts/lagoon-remote/templates/_helpers.tpl b/charts/lagoon-remote/templates/_helpers.tpl index a0fd1b6f..56cd7263 100644 --- a/charts/lagoon-remote/templates/_helpers.tpl +++ b/charts/lagoon-remote/templates/_helpers.tpl @@ -155,6 +155,43 @@ app.kubernetes.io/instance: {{ .Release.Name }} +{{/* +Create the name of the service account to use for sshCore. +*/}} +{{- define "lagoon-remote.sshCore.serviceAccountName" -}} +{{- default (include "lagoon-remote.sshCore.fullname" .) .Values.sshCore.serviceAccount.name }} +{{- end }} + +{{/* +Create a default fully qualified app name for sshCore. +*/}} +{{- define "lagoon-remote.sshCore.fullname" -}} +{{- include "lagoon-remote.fullname" . }}-ssh-core +{{- end }} + +{{/* +Common labels sshCore. +*/}} +{{- define "lagoon-remote.sshCore.labels" -}} +helm.sh/chart: {{ include "lagoon-remote.chart" . }} +{{ include "lagoon-remote.sshCore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels sshCore. +*/}} +{{- define "lagoon-remote.sshCore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "lagoon-remote.name" . }} +app.kubernetes.io/component: {{ include "lagoon-remote.sshCore.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + + {{/* Create the name of the service account to use for sshPortal. */}} diff --git a/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml b/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml new file mode 100644 index 00000000..f0a676b6 --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.clusterrole.yaml @@ -0,0 +1,39 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "lagoon-remote.sshCore.fullname" . }} + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} +rules: +# k8s.ensureScaled +- apiGroups: + - apps + resources: + - deployments/scale + verbs: + - get + - update +# k8s.podName, k8s.FindDeployment +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +# k8s.Exec +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +{{- end }} diff --git a/charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml b/charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml new file mode 100644 index 00000000..bb48fb8d --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "lagoon-remote.sshCore.fullname" . }} + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +roleRef: + kind: ClusterRole + name: {{ include "lagoon-remote.sshCore.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/lagoon-remote/templates/ssh-core.secret.yaml b/charts/lagoon-remote/templates/ssh-core.secret.yaml new file mode 100644 index 00000000..750190e8 --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }}-token + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} + annotations: + kubernetes.io/service-account.name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }} +{{- end }} diff --git a/charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml b/charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml new file mode 100644 index 00000000..a8d2f6bb --- /dev/null +++ b/charts/lagoon-remote/templates/ssh-core.serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.sshCore.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "lagoon-remote.sshCore.serviceAccountName" . }} + labels: + {{- include "lagoon-remote.sshCore.labels" . | nindent 4 }} + {{- with .Values.sshCore.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml index 9b0640b1..7b9518cc 100644 --- a/charts/lagoon-remote/values.yaml +++ b/charts/lagoon-remote/values.yaml @@ -113,6 +113,17 @@ kubernetesBuildDeploy: # If not set, a name is generated using the fullname template. name: +# sshCore creates a restricted, non-expiring ServiceAccount token for use by +# lagoon-core. +sshCore: + enabled: true + serviceAccount: + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname + # template + name: "" + # sshPortal is an optional service providing low-latency SSH connectivity to # Lagoon environments. sshPortal: