-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md) for Pulumi's contribution guidelines. Help us merge your changes more quickly by adding more details such as labels, milestones, and reviewers.--> ### Proposed changes <!--Give us a brief description of what you've done and what it solves. --> Updates the Helm chart to install PKOv2, as similarly as possible to `operator/config/default`. Details: - adds an aggregation role (view/edit) for the Pulumi API groups - tweaks the controller's resources such that limits equals resources to have "guaranteed" qos - exposes the metrics port and the fileserver port - supports two rbac modes for the controller - ClusterRole and Role To install: ``` helm upgrade --install pulumi-kubernetes-operator ./deploy/helm/pulumi-operator ``` ### Related issues (optional) Closes #684 <!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes #1234'. Or link to full URLs to issues or pull requests in other GitHub repositories. -->
- Loading branch information
1 parent
3c0c7a9
commit 388a7ee
Showing
17 changed files
with
546 additions
and
154 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
196 changes: 185 additions & 11 deletions
196
deploy/helm/pulumi-operator/templates/clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,193 @@ | ||
{{- if .Values.createClusterRole }} | ||
{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ include "pulumi-kubernetes-operator.fullname" . }} | ||
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager | ||
labels: | ||
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} | ||
rules: | ||
{{- if .Values.clusterRoleRules.enabled }} | ||
{{- toYaml .Values.clusterRoleRules.rules | nindent 2 }} | ||
{{- else }} | ||
- apiGroups: | ||
- '*' | ||
resources: | ||
- '*' | ||
verbs: | ||
- '*' | ||
{{- if .Values.rbac.extraRules }} | ||
{{- toYaml .Values.rbac.extraRules | nindent 2 }} | ||
{{- end }} | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- events | ||
verbs: | ||
- create | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- secrets | ||
verbs: | ||
- create | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- apps | ||
resources: | ||
- statefulsets | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- auto.pulumi.com | ||
resources: | ||
- updates | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- auto.pulumi.com | ||
resources: | ||
- updates/finalizers | ||
verbs: | ||
- update | ||
- apiGroups: | ||
- auto.pulumi.com | ||
resources: | ||
- updates/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- auto.pulumi.com | ||
resources: | ||
- workspaces | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- auto.pulumi.com | ||
resources: | ||
- workspaces/finalizers | ||
verbs: | ||
- update | ||
- apiGroups: | ||
- auto.pulumi.com | ||
resources: | ||
- workspaces/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- services | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- pulumi.com | ||
resources: | ||
- programs | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- pulumi.com | ||
resources: | ||
- programs/finalizers | ||
verbs: | ||
- update | ||
- apiGroups: | ||
- pulumi.com | ||
resources: | ||
- programs/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- pulumi.com | ||
resources: | ||
- stacks | ||
verbs: | ||
- create | ||
- delete | ||
- get | ||
- list | ||
- patch | ||
- update | ||
- watch | ||
- apiGroups: | ||
- pulumi.com | ||
resources: | ||
- stacks/finalizers | ||
verbs: | ||
- update | ||
- apiGroups: | ||
- pulumi.com | ||
resources: | ||
- stacks/status | ||
verbs: | ||
- get | ||
- patch | ||
- update | ||
- apiGroups: | ||
- source.toolkit.fluxcd.io | ||
resources: | ||
- buckets | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- source.toolkit.fluxcd.io | ||
resources: | ||
- gitrepositories | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
- apiGroups: | ||
- source.toolkit.fluxcd.io | ||
resources: | ||
- ocirepositories | ||
verbs: | ||
- get | ||
- list | ||
- watch | ||
{{- end }} |
13 changes: 6 additions & 7 deletions
13
deploy/helm/pulumi-operator/templates/clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,16 @@ | ||
{{- if .Values.createClusterRole }} | ||
{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: {{ include "pulumi-kubernetes-operator.fullname" . }} | ||
namespace: {{ .Release.Namespace | quote }} | ||
labels: | ||
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} | ||
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-controller-manager | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ include "pulumi-kubernetes-operator.serviceAccountName" . }} | ||
namespace: {{ .Release.Namespace | quote }} | ||
roleRef: | ||
kind: ClusterRole | ||
name: {{ include "pulumi-kubernetes-operator.fullname" . }} | ||
apiGroup: rbac.authorization.k8s.io | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22 changes: 22 additions & 0 deletions
22
deploy/helm/pulumi-operator/templates/edit_clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{- if and .Values.rbac.create .Values.rbac.createClusterAggregationRoles }} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ include "pulumi-kubernetes-operator.fullname" . }}-edit | ||
labels: | ||
{{- include "pulumi-kubernetes-operator.labels" . | nindent 4 }} | ||
rbac.authorization.k8s.io/aggregate-to-admin: "true" | ||
rbac.authorization.k8s.io/aggregate-to-edit: "true" | ||
rules: | ||
- apiGroups: | ||
- pulumi.com | ||
- auto.pulumi.com | ||
resources: | ||
- '*' | ||
verbs: | ||
- create | ||
- delete | ||
- deletecollection | ||
- patch | ||
- update | ||
{{- end }} |
Oops, something went wrong.