github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-14 05:06:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

move helm chart to reactiveops/charts (#128)

Browse Source 
* move helm chart to reactiveops/charts

init helm in circleci

fix template command

* update release process
This commit is contained in:
Bobby Brennan
2019-06-13 13:07:10 -06:00
committed by GitHub
parent ebfb4ea9a1
commit 50d32b9b4c
20 changed files with 111 additions and 1075 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.circleci/build.config Normal file
View File

@@ -0,0 +1,5 @@
DOCKERFILE='Dockerfile'
EXTERNAL_REGISTRY_BASE_DOMAIN=quay.io
REPOSITORY_NAME=reactiveops/polaris
DOCKERTAG=${EXTERNAL_REGISTRY_BASE_DOMAIN}/${REPOSITORY_NAME}

110
.circleci/config.yml
View File

@@ -1,38 +1,32 @@
version: 2
references:
install_goreleaser: &install_goreleaser
run:
name: Install GoReleaser
command: |
curl -fsSLo goreleaser.deb https://github.com/goreleaser/goreleaser/releases/download/v0.94.0/goreleaser_amd64.deb
echo "8dbad6683d6fc9367e637e6eed8e01a0d63c9660 goreleaser.deb" | sha1sum -c
sudo dpkg -i goreleaser.deb
rm goreleaser.deb
set_environment_variables: &set_environment_variables
run:
name: Set Environment Variables
command: |
echo 'export REPO=quay.io/reactiveops/polaris' >> ${BASH_ENV}
echo 'export CI_SHA1=$CIRCLE_SHA1' >> ${BASH_ENV}
echo 'export CI_BRANCH=$CIRCLE_BRANCH' >> ${BASH_ENV}
echo 'export CI_BUILD_NUM=$CIRCLE_BUILD_NUM' >> ${BASH_ENV}
echo 'export CI_TAG=$CIRCLE_TAG' >> ${BASH_ENV}
echo 'export PUSH_ALL_VERSION_TAGS=true' >> ${BASH_ENV}
docker_build_and_push: &docker_build_and_push
run:
name: Docker login, build, and push
command: |
docker build -t $REPO:dev-$CIRCLE_SHA1 .
docker-pull -f .circleci/build.config
docker-build -f .circleci/build.config
if [[ -n $CIRCLE_TAG ]]; then
export ADDITIONAL_DOCKER_TAG_VERSIONS=(`echo $CIRCLE_TAG | sed -e 's/\(\w\+\)\..*$/\1/'`)
fi
if [[ -z $CIRCLE_PR_NUMBER ]]; then
docker login quay.io -u="reactiveops+circleci" -p="${quay_token}"
docker push $REPO:dev-$CIRCLE_SHA1
docker-push -f .circleci/build.config
else
echo "Skipping docker push for forked PR"
fi
docker_tag_release: &docker_tag_release
run:
name: Docker tag release
command: |
docker login quay.io -u="reactiveops+circleci" -p="${quay_token}"
docker build -t $REPO:dev-$CIRCLE_SHA1 .
docker tag $REPO:dev-$CIRCLE_SHA1 $REPO:$CIRCLE_TAG
docker push $REPO:$CIRCLE_TAG
# Test scripts
update_coverage: &update_coverage
run:
name: Update Coverage
@@ -43,12 +37,11 @@ references:
else
echo "Skipping coverage for forked PR"
fi
test_dashboard: &test_dashboard
run:
name: Test Dashboard
command: |
go run main.go --dashboard --dashboard-port 3000 --audit-path ./deploy/dashboard.yaml &
go run main.go --dashboard --dashboard-port 3000 --audit-path ./examples &
sleep 5
curl -f http://localhost:3000 > /dev/null
curl -f http://localhost:3000/health > /dev/null
@@ -57,6 +50,30 @@ references:
curl -f http://localhost:3000/results.json > /dev/null
curl -f http://localhost:3000/details/security > /dev/null
# Release scripts
install_goreleaser: &install_goreleaser
run:
name: Install GoReleaser
command: |
curl -fsSLo goreleaser.deb https://github.com/goreleaser/goreleaser/releases/download/v0.94.0/goreleaser_amd64.deb
echo "8dbad6683d6fc9367e637e6eed8e01a0d63c9660 goreleaser.deb" | sha1sum -c
sudo dpkg -i goreleaser.deb
rm goreleaser.deb
release_deploy_configs: &release_deploy_configs
run:
name: Release deploy configs
command: |
git clone --branch polaris-latest https://github.com/reactiveops/charts
mkdir deploy
helm template ./charts/stable/polaris --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml
helm template ./charts/stable/polaris --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml
upload_url=$(curl --silent https://api.github.com/repos/reactiveops/polaris/releases/latest | grep upload_url)
upload_url=$(echo $upload_url | sed -e 's/.*\(https.*\){.*$/\1/')
curl -X POST "$upload_url?name=dashboard.yaml" --data-binary "@./deploy/dashboard.yaml" -H "Authorization: Bearer $GITHUB_TOKEN" -H "Content-Type: application/x-yaml"
curl -X POST "$upload_url?name=webhook.yaml" --data-binary "@./deploy/webhook.yaml" -H "Authorization: Bearer $GITHUB_TOKEN" -H "Content-Type: application/x-yaml"
rm -rf ./charts
rm -rf ./deploy
jobs:
build:
docker:
@@ -80,30 +97,7 @@ jobs:
- *update_coverage
- *test_dashboard
test-deploy:
docker:
- image: quay.io/reactiveops/ci-images:v8.0-stretch
steps:
- checkout
- run:
name: Verify helm chart synced with dashboard.yaml
command: |
diff \
<(helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true) \
deploy/dashboard.yaml || (echo "
Make sure to regenerate k8s deploy config with make helm-to-k8s" &&
exit 1)
- run:
name: Verify helm chart synced with webhook.yaml
command: |
diff \
<(helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false) \
deploy/webhook.yaml || (echo "
Make sure to regenerate k8s deploy config with make helm-to-k8s" &&
exit 1)
release:
release_binary:
working_directory: /go/src/github.com/reactiveops/polaris/
docker:
- image: circleci/golang:1.12
@@ -111,22 +105,30 @@ jobs:
- checkout
- setup_remote_docker
- *set_environment_variables
- *docker_tag_release
- *install_goreleaser
- run: go get -u github.com/gobuffalo/packr/v2/packr2
- run: packr2
- run: goreleaser
release_images:
working_directory: /go/src/github.com/reactiveops/polaris/
docker:
- image: quay.io/reactiveops/ci-images:v8.0-stretch
steps:
- checkout
- setup_remote_docker
- *set_environment_variables
- *docker_build_and_push
- *release_deploy_configs
workflows:
version: 2
build:
jobs:
- test
- test-deploy
- build:
requires:
- test
- test-deploy
context: org-global
# Allow using testing tags for testing circle test + build steps
filters:
@@ -134,7 +136,17 @@ workflows:
only: /^testing-.*/
release:
jobs:
- release:
- release_binary:
context: org-global
filters:
branches:
ignore: /.*/
# Testing tags are reserved for testing circle test + build steps
tags:
ignore: /^testing-.*/
- release_images:
requires:
- release_binary
context: org-global
filters:
branches:

47
CONTRIBUTING.md
View File

@@ -57,18 +57,35 @@ Each new pull request should:
- Be up to date and/or rebased on the master branch
## Creating a new release
* Change the version number everywhere. E.g. for `0.1.4` to `0.1.5`:
```
find ./ -type f ! -path "./vendor/*" ! -path "./.git/*" ! -name CHANGELOG.md -exec sed -i 's/0\.1\.4/0.1.5/g' {} \;
```
* Add relevant entries to CHANGELOG.md
* Create a PR to merge your changes
* Once the PR is merged, wait for CircleCI to finish building the merge commit
* Tag and push the latest:
```
git checkout master
git pull
git tag $VERSION
git push --tags
```
* CircleCI will add an entry to the releases page on GitHub
### Minor/patch releases
Minor and patch releases only need to change this repo. The Helm chart and deploy scripts
will automatically pull in the latest changes.
To deploy a minor or patch release, follow steps 2 and 3 from "Major releases" below.
### Major releases
Major releases need to change both this repository and the
[Helm chart repo](https://github.com/reactiveops/charts/).
The steps are:
1. Create a PR in the [charts repo](https://github.com/reactiveops/charts/)
* Use a branch named `polaris-latest`
* Bump the version number in:
* stable/polaris/README.md
* stable/polaris/Chart.yaml
* stable/polaris/values.yaml
* **Don't merge yet!**
2. Create a PR for this repo
* Bump the version number in:
* main.go
* README.md
* Merge your PR
3. Tag the latest branch for this repo
* Pull the latest for the `master` branch
* Run `git tag $VERSION && git push --tags`
* Wait for CircleCI to finish the build for the tag, which will:
* Create the proper image tag in quay.io
* Add an entry to the releases page on GitHub
4. Merge the PR for the charts repo you created in step 1.

3
Makefile
View File

@@ -1,3 +0,0 @@
helm-to-k8s:
helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml
helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml

20
README.md
View File

@@ -24,7 +24,7 @@ Polaris helps keep your cluster healthy. It runs a variety of checks to ensure t
## Quickstart
```
kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/dashboard.yaml
kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/dashboard.yaml
kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
```
With the port forwarding in place, you can open http://localhost:8080 in your browser to view the dashboard.
@@ -53,25 +53,31 @@ or run against local YAML files.
### kubectl
#### Dashboard
```
kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/dashboard.yaml
kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/dashboard.yaml
kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
```
#### Webhook
```
kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/webhook.yaml
kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/webhook.yaml
```
### Helm
Start by adding the ReactiveOps Helm repo:
```
helm repo add reactiveops-stable https://charts.reactiveops.com/stable
```
#### Dashboard
```
git clone https://github.com/reactiveops/polaris && cd polaris
helm upgrade --install polaris deploy/helm/polaris/ --namespace polaris
helm upgrade --install polaris reactiveops-stable/polaris --namespace polaris
kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80
```
#### Webhook
```
git clone https://github.com/reactiveops/polaris && cd polaris
helm upgrade --install polaris deploy/helm/polaris/ --namespace polaris --set webhook.enable=true --set dashboard.enable=false
helm upgrade --install polaris reactiveops-stable/polaris --namespace polaris \
--set webhook.enable=true --set dashboard.enable=false
```
### Local Binary

212
deploy/dashboard.yaml
View File

@@ -1,212 +0,0 @@
---
# Source: polaris/templates/0-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: polaris
---
# Source: polaris/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: polaris
namespace: polaris
labels:
app: polaris
data:
config.yaml: |
resources:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
images:
tagNotSpecified: error
healthChecks:
readinessProbeMissing: warning
livenessProbeMissing: warning
networking:
hostNetworkSet: warning
hostPortSet: warning
security:
hostIPCSet: error
hostPIDSet: error
notReadOnlyRootFileSystem: warning
privilegeEscalationAllowed: error
runAsRootAllowed: warning
runAsPrivileged: error
capabilities:
error:
ifAnyAdded:
- SYS_ADMIN
- NET_ADMIN
- ALL
warning:
ifAnyAddedBeyond:
- CHOWN
- DAC_OVERRIDE
- FSETID
- FOWNER
- MKNOD
- NET_RAW
- SETGID
- SETUID
- SETFCAP
- SETPCAP
- NET_BIND_SERVICE
- SYS_CHROOT
- KILL
- AUDIT_WRITE
---
# Source: polaris/templates/dashboard.rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: polaris-dashboard
namespace: polaris
labels:
app: polaris
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: polaris-dashboard
labels:
app: polaris
rules:
- apiGroups:
- 'apps'
- 'extensions'
resources:
- 'deployments'
verbs:
- 'get'
- 'list'
- apiGroups:
- ''
resources:
- 'nodes'
- 'namespaces'
- 'pods'
verbs:
- 'get'
- 'list'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: polaris-dashboard
labels:
app: polaris
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: polaris-dashboard
subjects:
- kind: ServiceAccount
name: polaris-dashboard
namespace: polaris
---
# Source: polaris/templates/dashboard.service.yaml
apiVersion: v1
kind: Service
metadata:
name: polaris-dashboard
namespace: polaris
labels:
app: polaris
spec:
ports:
- name: dashboard
port: 80
protocol: TCP
targetPort: 8080
selector:
app: polaris
component: dashboard
type: ClusterIP
---
# Source: polaris/templates/dashboard.deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a'
name: polaris-dashboard
namespace: polaris
labels:
app: polaris
component: dashboard
spec:
replicas: 1
selector:
matchLabels:
app: polaris
component: dashboard
template:
metadata:
labels:
app: polaris
component: dashboard
spec:
volumes:
- name: config
configMap:
name: polaris
containers:
- command:
- polaris
- --dashboard
- --config
- /opt/app/config.yaml
image: 'quay.io/reactiveops/polaris:0.1.5'
imagePullPolicy: 'Always'
name: dashboard
ports:
- containerPort: 8080
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 20
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 20
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
serviceAccountName: polaris-dashboard
---
# Source: polaris/templates/webhook.deployment.yaml
---
# Source: polaris/templates/webhook.rbac.yaml
---
# Source: polaris/templates/webhook.secret.yaml
---
# Source: polaris/templates/webhook.service.yaml

4
deploy/helm/polaris/Chart.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
description: Validation of best practices in your Kubernetes clusters
name: polaris
version: 0.1.5

6
deploy/helm/polaris/templates/0-namespace.yaml
View File

@@ -1,6 +0,0 @@
{{- if .Values.templateOnly -}}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
{{- end -}}

12
deploy/helm/polaris/templates/NOTES.txt
View File

@@ -1,12 +0,0 @@
** Please be patient while the chart is being deployed **
Enjoy Polaris and smooth sailing!
{{- if contains "ClusterIP" .Values.dashboard.service.type }}
## To view the dashboard execute these commands:
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 &
open http://localhost:8080
{{- end }}

56
deploy/helm/polaris/templates/_helpers.tpl
View File

@@ -1,56 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "polaris.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "polaris.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "polaris.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Standard labels
*/}}
{{- define "polaris.labels" -}}
app: {{ include "polaris.name" . }}
{{- if not .Values.templateOnly }}
app.kubernetes.io/name: {{ include "polaris.name" . }}
helm.sh/chart: {{ include "polaris.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}
{{/*
Standard selector
*/}}
{{- define "polaris.selectors" -}}
app: {{ include "polaris.name" . }}
{{- if not .Values.templateOnly }}
app.kubernetes.io/name: {{ include "polaris.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}

9
deploy/helm/polaris/templates/configmap.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "polaris.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
data:
config.yaml: {{- toYaml .Values.config | indent 2 -}}

76
deploy/helm/polaris/templates/dashboard.deployment.yaml
View File

@@ -1,76 +0,0 @@
{{- if .Values.dashboard.enable -}}
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
name: {{ include "polaris.fullname" . }}-dashboard
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
component: dashboard
spec:
replicas: {{.Values.dashboard.replicas}}
selector:
matchLabels:
{{- include "polaris.selectors" . | nindent 6 }}
component: dashboard
template:
metadata:
labels:
{{- include "polaris.selectors" . | nindent 8 }}
component: dashboard
spec:
volumes:
- name: config
configMap:
name: {{ include "polaris.fullname" . }}
containers:
- command:
- polaris
- --dashboard
- --config
- /opt/app/config.yaml
{{- with .Values.dashboard.clusterName }}
- --cluster-name
- {{ . }}
{{- end }}
image: '{{.Values.dashboard.image.repository}}:{{.Values.dashboard.image.tag}}'
imagePullPolicy: '{{.Values.dashboard.image.pullPolicy}}'
name: dashboard
ports:
- containerPort: 8080
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 20
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 20
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
serviceAccountName: {{ include "polaris.fullname" . }}-dashboard
{{- end -}}

49
deploy/helm/polaris/templates/dashboard.rbac.yaml
View File

@@ -1,49 +0,0 @@
{{- if and .Values.dashboard.enable .Values.rbac.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "polaris.fullname" . }}-dashboard
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "polaris.fullname" . }}-dashboard
labels:
{{- include "polaris.labels" . | nindent 4 }}
rules:
- apiGroups:
- 'apps'
- 'extensions'
resources:
- 'deployments'
verbs:
- 'get'
- 'list'
- apiGroups:
- ''
resources:
- 'nodes'
- 'namespaces'
- 'pods'
verbs:
- 'get'
- 'list'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "polaris.fullname" . }}-dashboard
labels:
{{- include "polaris.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "polaris.fullname" . }}-dashboard
subjects:
- kind: ServiceAccount
name: {{ include "polaris.fullname" . }}-dashboard
namespace: {{ .Release.Namespace }}
{{- end -}}

19
deploy/helm/polaris/templates/dashboard.service.yaml
View File

@@ -1,19 +0,0 @@
{{- if and .Values.dashboard.enable .Values.dashboard.service -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "polaris.fullname" . }}-dashboard
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
spec:
ports:
- name: dashboard
port: 80
protocol: TCP
targetPort: 8080
selector:
{{- include "polaris.selectors" . | nindent 4 }}
component: dashboard
type: {{ .Values.dashboard.service.type }}
{{- end -}}

90
deploy/helm/polaris/templates/webhook.deployment.yaml
View File

@@ -1,90 +0,0 @@
{{- if .Values.webhook.enable -}}
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
component: webhook
spec:
replicas: {{ .Values.webhook.replicas }}
selector:
matchLabels:
{{- include "polaris.selectors" . | nindent 6 }}
component: webhook
template:
metadata:
labels:
{{- include "polaris.selectors" . | nindent 8 }}
component: webhook
spec:
containers:
- name: webhook
command:
- polaris
- --webhook
- --config
- /opt/app/config.yaml
image: '{{.Values.webhook.image.repository}}:{{.Values.webhook.image.tag}}'
imagePullPolicy: '{{.Values.webhook.image.pullPolicy}}'
ports:
- containerPort: 9876
# These are fairly useless readiness/liveness probes for now
# Follow this issue for potential improvements:
# https://github.com/kubernetes-sigs/controller-runtime/issues/356
livenessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep polaris
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep polaris
initialDelaySeconds: 5
periodSeconds: 5
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
- name: secret
mountPath: /opt/cert/
readOnly: true
- name: cr-logs
mountPath: /tmp/
readOnly: false
serviceAccountName: {{ include "polaris.fullname" . }}-webhook
volumes:
- name: config
configMap:
name: {{ include "polaris.fullname" . }}
- name: secret
secret:
secretName: polaris-webhook
- name: cr-logs
emptyDir: {}
{{- end -}}

90
deploy/helm/polaris/templates/webhook.rbac.yaml
View File

@@ -1,90 +0,0 @@
{{- if and .Values.webhook.enable .Values.rbac.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: {{ include "polaris.fullname" . }}-webhook
labels:
{{- include "polaris.labels" . | nindent 4 }}
rules:
- apiGroups:
- 'apps'
- 'extensions'
resources:
- 'deployments'
verbs:
- 'get'
- 'list'
# required by controller-runtime code doing a cluster wide lookup
# when it seems namespace would suffice
- apiGroups:
- ''
resources:
- 'secrets'
- 'services'
verbs:
- 'get'
- 'list'
- 'watch'
- apiGroups:
- 'admissionregistration.k8s.io'
resources:
- 'validatingwebhookconfigurations'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: {{ include "polaris.fullname" . }}-webhook
labels:
{{- include "polaris.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "polaris.fullname" . }}-webhook
subjects:
- kind: ServiceAccount
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
rules:
# required for current controller-runtime bootstrap method
- apiGroups:
- ''
resources:
- 'secrets'
- 'services'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "polaris.fullname" . }}-webhook
subjects:
- kind: ServiceAccount
name: {{ include "polaris.fullname" . }}-webhook
namespace: {{ .Release.Namespace }}
{{- end -}}

12
deploy/helm/polaris/templates/webhook.secret.yaml
View File

@@ -1,12 +0,0 @@
{{- if .Values.webhook.enable -}}
apiVersion: v1
kind: Secret
metadata:
name: polaris-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
type: Opaque
stringData:
cert.pem: ''
{{- end -}}

19
deploy/helm/polaris/templates/webhook.service.yaml
View File

@@ -1,19 +0,0 @@
{{- if .Values.webhook.enable -}}
apiVersion: v1
kind: Service
metadata:
name: polaris-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "polaris.labels" . | nindent 4 }}
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: 9876
selector:
{{- include "polaris.selectors" . | nindent 4 }}
component: webhook
type: ClusterIP
{{- end -}}

67
deploy/helm/polaris/values.yaml
View File

@@ -1,67 +0,0 @@
---
config: |
resources:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
images:
tagNotSpecified: error
healthChecks:
readinessProbeMissing: warning
livenessProbeMissing: warning
networking:
hostNetworkSet: warning
hostPortSet: warning
security:
hostIPCSet: error
hostPIDSet: error
notReadOnlyRootFileSystem: warning
privilegeEscalationAllowed: error
runAsRootAllowed: warning
runAsPrivileged: error
capabilities:
error:
ifAnyAdded:
- SYS_ADMIN
- NET_ADMIN
- ALL
warning:
ifAnyAddedBeyond:
- CHOWN
- DAC_OVERRIDE
- FSETID
- FOWNER
- MKNOD
- NET_RAW
- SETGID
- SETUID
- SETFCAP
- SETPCAP
- NET_BIND_SERVICE
- SYS_CHROOT
- KILL
- AUDIT_WRITE
dashboard:
enable: true
replicas: 1
service:
type: ClusterIP
image:
repository: quay.io/reactiveops/polaris
tag: 0.1.5
pullPolicy: Always
webhook:
enable: false
replicas: 1
image:
repository: quay.io/reactiveops/polaris
tag: 0.1.5
pullPolicy: Always
rbac:
create: true
templateOnly: false

280
deploy/webhook.yaml
View File

@@ -1,280 +0,0 @@
---
# Source: polaris/templates/0-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: polaris
---
# Source: polaris/templates/webhook.secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: polaris-webhook
namespace: polaris
labels:
app: polaris
type: Opaque
stringData:
cert.pem: ''
---
# Source: polaris/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: polaris
namespace: polaris
labels:
app: polaris
data:
config.yaml: |
resources:
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
images:
tagNotSpecified: error
healthChecks:
readinessProbeMissing: warning
livenessProbeMissing: warning
networking:
hostNetworkSet: warning
hostPortSet: warning
security:
hostIPCSet: error
hostPIDSet: error
notReadOnlyRootFileSystem: warning
privilegeEscalationAllowed: error
runAsRootAllowed: warning
runAsPrivileged: error
capabilities:
error:
ifAnyAdded:
- SYS_ADMIN
- NET_ADMIN
- ALL
warning:
ifAnyAddedBeyond:
- CHOWN
- DAC_OVERRIDE
- FSETID
- FOWNER
- MKNOD
- NET_RAW
- SETGID
- SETUID
- SETFCAP
- SETPCAP
- NET_BIND_SERVICE
- SYS_CHROOT
- KILL
- AUDIT_WRITE
---
# Source: polaris/templates/webhook.rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: polaris-webhook
namespace: polaris
labels:
app: polaris
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: polaris-webhook
labels:
app: polaris
rules:
- apiGroups:
- 'apps'
- 'extensions'
resources:
- 'deployments'
verbs:
- 'get'
- 'list'
# required by controller-runtime code doing a cluster wide lookup
# when it seems namespace would suffice
- apiGroups:
- ''
resources:
- 'secrets'
- 'services'
verbs:
- 'get'
- 'list'
- 'watch'
- apiGroups:
- 'admissionregistration.k8s.io'
resources:
- 'validatingwebhookconfigurations'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: polaris-webhook
labels:
app: polaris
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: polaris-webhook
subjects:
- kind: ServiceAccount
name: polaris-webhook
namespace: polaris
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: polaris-webhook
namespace: polaris
labels:
app: polaris
rules:
# required for current controller-runtime bootstrap method
- apiGroups:
- ''
resources:
- 'secrets'
- 'services'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: polaris-webhook
namespace: polaris
labels:
app: polaris
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: polaris-webhook
subjects:
- kind: ServiceAccount
name: polaris-webhook
namespace: polaris
---
# Source: polaris/templates/webhook.service.yaml
apiVersion: v1
kind: Service
metadata:
name: polaris-webhook
namespace: polaris
labels:
app: polaris
spec:
ports:
- name: webhook
port: 443
protocol: TCP
targetPort: 9876
selector:
app: polaris
component: webhook
type: ClusterIP
---
# Source: polaris/templates/webhook.deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a'
name: polaris-webhook
namespace: polaris
labels:
app: polaris
component: webhook
spec:
replicas: 1
selector:
matchLabels:
app: polaris
component: webhook
template:
metadata:
labels:
app: polaris
component: webhook
spec:
containers:
- name: webhook
command:
- polaris
- --webhook
- --config
- /opt/app/config.yaml
image: 'quay.io/reactiveops/polaris:0.1.5'
imagePullPolicy: 'Always'
ports:
- containerPort: 9876
# These are fairly useless readiness/liveness probes for now
# Follow this issue for potential improvements:
# https://github.com/kubernetes-sigs/controller-runtime/issues/356
livenessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep polaris
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
exec:
command:
- sh
- -c
- ps -ef | grep polaris
initialDelaySeconds: 5
periodSeconds: 5
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: config
mountPath: /opt/app/config.yaml
subPath: config.yaml
readOnly: true
- name: secret
mountPath: /opt/cert/
readOnly: true
- name: cr-logs
mountPath: /tmp/
readOnly: false
serviceAccountName: polaris-webhook
volumes:
- name: config
configMap:
name: polaris
- name: secret
secret:
secretName: polaris-webhook
- name: cr-logs
emptyDir: {}
---
# Source: polaris/templates/dashboard.deployment.yaml
---
# Source: polaris/templates/dashboard.rbac.yaml
---
# Source: polaris/templates/dashboard.service.yaml