diff --git a/.circleci/build.config b/.circleci/build.config new file mode 100644 index 00000000..1237e75c --- /dev/null +++ b/.circleci/build.config @@ -0,0 +1,5 @@ +DOCKERFILE='Dockerfile' + +EXTERNAL_REGISTRY_BASE_DOMAIN=quay.io +REPOSITORY_NAME=reactiveops/polaris +DOCKERTAG=${EXTERNAL_REGISTRY_BASE_DOMAIN}/${REPOSITORY_NAME} diff --git a/.circleci/config.yml b/.circleci/config.yml index 2f639cfc..6098046f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,38 +1,32 @@ version: 2 references: - install_goreleaser: &install_goreleaser - run: - name: Install GoReleaser - command: | - curl -fsSLo goreleaser.deb https://github.com/goreleaser/goreleaser/releases/download/v0.94.0/goreleaser_amd64.deb - echo "8dbad6683d6fc9367e637e6eed8e01a0d63c9660 goreleaser.deb" | sha1sum -c - sudo dpkg -i goreleaser.deb - rm goreleaser.deb set_environment_variables: &set_environment_variables run: name: Set Environment Variables command: | - echo 'export REPO=quay.io/reactiveops/polaris' >> ${BASH_ENV} + echo 'export CI_SHA1=$CIRCLE_SHA1' >> ${BASH_ENV} + echo 'export CI_BRANCH=$CIRCLE_BRANCH' >> ${BASH_ENV} + echo 'export CI_BUILD_NUM=$CIRCLE_BUILD_NUM' >> ${BASH_ENV} + echo 'export CI_TAG=$CIRCLE_TAG' >> ${BASH_ENV} + echo 'export PUSH_ALL_VERSION_TAGS=true' >> ${BASH_ENV} docker_build_and_push: &docker_build_and_push run: name: Docker login, build, and push command: | - docker build -t $REPO:dev-$CIRCLE_SHA1 . + docker-pull -f .circleci/build.config + docker-build -f .circleci/build.config + if [[ -n $CIRCLE_TAG ]]; then + export ADDITIONAL_DOCKER_TAG_VERSIONS=(`echo $CIRCLE_TAG | sed -e 's/\(\w\+\)\..*$/\1/'`) + fi if [[ -z $CIRCLE_PR_NUMBER ]]; then docker login quay.io -u="reactiveops+circleci" -p="${quay_token}" - docker push $REPO:dev-$CIRCLE_SHA1 + docker-push -f .circleci/build.config else echo "Skipping docker push for forked PR" fi - docker_tag_release: &docker_tag_release - run: - name: Docker tag release - command: | - docker login quay.io -u="reactiveops+circleci" -p="${quay_token}" - docker build -t $REPO:dev-$CIRCLE_SHA1 . - docker tag $REPO:dev-$CIRCLE_SHA1 $REPO:$CIRCLE_TAG - docker push $REPO:$CIRCLE_TAG + + # Test scripts update_coverage: &update_coverage run: name: Update Coverage @@ -43,12 +37,11 @@ references: else echo "Skipping coverage for forked PR" fi - test_dashboard: &test_dashboard run: name: Test Dashboard command: | - go run main.go --dashboard --dashboard-port 3000 --audit-path ./deploy/dashboard.yaml & + go run main.go --dashboard --dashboard-port 3000 --audit-path ./examples & sleep 5 curl -f http://localhost:3000 > /dev/null curl -f http://localhost:3000/health > /dev/null @@ -57,6 +50,30 @@ references: curl -f http://localhost:3000/results.json > /dev/null curl -f http://localhost:3000/details/security > /dev/null + # Release scripts + install_goreleaser: &install_goreleaser + run: + name: Install GoReleaser + command: | + curl -fsSLo goreleaser.deb https://github.com/goreleaser/goreleaser/releases/download/v0.94.0/goreleaser_amd64.deb + echo "8dbad6683d6fc9367e637e6eed8e01a0d63c9660 goreleaser.deb" | sha1sum -c + sudo dpkg -i goreleaser.deb + rm goreleaser.deb + release_deploy_configs: &release_deploy_configs + run: + name: Release deploy configs + command: | + git clone --branch polaris-latest https://github.com/reactiveops/charts + mkdir deploy + helm template ./charts/stable/polaris --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml + helm template ./charts/stable/polaris --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml + upload_url=$(curl --silent https://api.github.com/repos/reactiveops/polaris/releases/latest | grep upload_url) + upload_url=$(echo $upload_url | sed -e 's/.*\(https.*\){.*$/\1/') + curl -X POST "$upload_url?name=dashboard.yaml" --data-binary "@./deploy/dashboard.yaml" -H "Authorization: Bearer $GITHUB_TOKEN" -H "Content-Type: application/x-yaml" + curl -X POST "$upload_url?name=webhook.yaml" --data-binary "@./deploy/webhook.yaml" -H "Authorization: Bearer $GITHUB_TOKEN" -H "Content-Type: application/x-yaml" + rm -rf ./charts + rm -rf ./deploy + jobs: build: docker: @@ -80,30 +97,7 @@ jobs: - *update_coverage - *test_dashboard - test-deploy: - docker: - - image: quay.io/reactiveops/ci-images:v8.0-stretch - steps: - - checkout - - run: - name: Verify helm chart synced with dashboard.yaml - command: | - diff \ - <(helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true) \ - deploy/dashboard.yaml || (echo " - Make sure to regenerate k8s deploy config with make helm-to-k8s" && - exit 1) - - - run: - name: Verify helm chart synced with webhook.yaml - command: | - diff \ - <(helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false) \ - deploy/webhook.yaml || (echo " - Make sure to regenerate k8s deploy config with make helm-to-k8s" && - exit 1) - - release: + release_binary: working_directory: /go/src/github.com/reactiveops/polaris/ docker: - image: circleci/golang:1.12 @@ -111,22 +105,30 @@ jobs: - checkout - setup_remote_docker - *set_environment_variables - - *docker_tag_release - *install_goreleaser - run: go get -u github.com/gobuffalo/packr/v2/packr2 - run: packr2 - run: goreleaser + release_images: + working_directory: /go/src/github.com/reactiveops/polaris/ + docker: + - image: quay.io/reactiveops/ci-images:v8.0-stretch + steps: + - checkout + - setup_remote_docker + - *set_environment_variables + - *docker_build_and_push + - *release_deploy_configs + workflows: version: 2 build: jobs: - test - - test-deploy - build: requires: - test - - test-deploy context: org-global # Allow using testing tags for testing circle test + build steps filters: @@ -134,7 +136,17 @@ workflows: only: /^testing-.*/ release: jobs: - - release: + - release_binary: + context: org-global + filters: + branches: + ignore: /.*/ + # Testing tags are reserved for testing circle test + build steps + tags: + ignore: /^testing-.*/ + - release_images: + requires: + - release_binary context: org-global filters: branches: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 85a70185..06e16c13 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -57,18 +57,35 @@ Each new pull request should: - Be up to date and/or rebased on the master branch ## Creating a new release -* Change the version number everywhere. E.g. for `0.1.4` to `0.1.5`: -``` -find ./ -type f ! -path "./vendor/*" ! -path "./.git/*" ! -name CHANGELOG.md -exec sed -i 's/0\.1\.4/0.1.5/g' {} \; -``` -* Add relevant entries to CHANGELOG.md -* Create a PR to merge your changes -* Once the PR is merged, wait for CircleCI to finish building the merge commit -* Tag and push the latest: -``` -git checkout master -git pull -git tag $VERSION -git push --tags -``` -* CircleCI will add an entry to the releases page on GitHub + +### Minor/patch releases +Minor and patch releases only need to change this repo. The Helm chart and deploy scripts +will automatically pull in the latest changes. + +To deploy a minor or patch release, follow steps 2 and 3 from "Major releases" below. + +### Major releases +Major releases need to change both this repository and the +[Helm chart repo](https://github.com/reactiveops/charts/). + +The steps are: +1. Create a PR in the [charts repo](https://github.com/reactiveops/charts/) + * Use a branch named `polaris-latest` + * Bump the version number in: + * stable/polaris/README.md + * stable/polaris/Chart.yaml + * stable/polaris/values.yaml + * **Don't merge yet!** +2. Create a PR for this repo + * Bump the version number in: + * main.go + * README.md + * Merge your PR +3. Tag the latest branch for this repo + * Pull the latest for the `master` branch + * Run `git tag $VERSION && git push --tags` + * Wait for CircleCI to finish the build for the tag, which will: + * Create the proper image tag in quay.io + * Add an entry to the releases page on GitHub +4. Merge the PR for the charts repo you created in step 1. + diff --git a/Makefile b/Makefile deleted file mode 100644 index 47e90305..00000000 --- a/Makefile +++ /dev/null @@ -1,3 +0,0 @@ -helm-to-k8s: - helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml - helm template deploy/helm/polaris/ --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml diff --git a/README.md b/README.md index ffd797f9..1e976f3a 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Polaris helps keep your cluster healthy. It runs a variety of checks to ensure t ## Quickstart ``` -kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/dashboard.yaml +kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/dashboard.yaml kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80 ``` With the port forwarding in place, you can open http://localhost:8080 in your browser to view the dashboard. @@ -53,25 +53,31 @@ or run against local YAML files. ### kubectl #### Dashboard ``` -kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/dashboard.yaml +kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/dashboard.yaml kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80 ``` + #### Webhook ``` -kubectl apply -f https://raw.githubusercontent.com/reactiveops/polaris/master/deploy/webhook.yaml +kubectl apply -f https://github.com/reactiveops/polaris/releases/latest/download/webhook.yaml ``` ### Helm +Start by adding the ReactiveOps Helm repo: +``` +helm repo add reactiveops-stable https://charts.reactiveops.com/stable +``` + #### Dashboard ``` -git clone https://github.com/reactiveops/polaris && cd polaris -helm upgrade --install polaris deploy/helm/polaris/ --namespace polaris +helm upgrade --install polaris reactiveops-stable/polaris --namespace polaris kubectl port-forward --namespace polaris svc/polaris-dashboard 8080:80 ``` + #### Webhook ``` -git clone https://github.com/reactiveops/polaris && cd polaris -helm upgrade --install polaris deploy/helm/polaris/ --namespace polaris --set webhook.enable=true --set dashboard.enable=false +helm upgrade --install polaris reactiveops-stable/polaris --namespace polaris \ + --set webhook.enable=true --set dashboard.enable=false ``` ### Local Binary diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml deleted file mode 100644 index ba575831..00000000 --- a/deploy/dashboard.yaml +++ /dev/null @@ -1,212 +0,0 @@ ---- -# Source: polaris/templates/0-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: polaris ---- -# Source: polaris/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: polaris - namespace: polaris - labels: - app: polaris -data: - config.yaml: | - resources: - cpuRequestsMissing: warning - cpuLimitsMissing: warning - memoryRequestsMissing: warning - memoryLimitsMissing: warning - images: - tagNotSpecified: error - healthChecks: - readinessProbeMissing: warning - livenessProbeMissing: warning - networking: - hostNetworkSet: warning - hostPortSet: warning - security: - hostIPCSet: error - hostPIDSet: error - notReadOnlyRootFileSystem: warning - privilegeEscalationAllowed: error - runAsRootAllowed: warning - runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - ---- -# Source: polaris/templates/dashboard.rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: polaris-dashboard - namespace: polaris - labels: - app: polaris ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: polaris-dashboard - labels: - app: polaris -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - 'deployments' - verbs: - - 'get' - - 'list' - - apiGroups: - - '' - resources: - - 'nodes' - - 'namespaces' - - 'pods' - verbs: - - 'get' - - 'list' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: polaris-dashboard - labels: - app: polaris -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: polaris-dashboard -subjects: - - kind: ServiceAccount - name: polaris-dashboard - namespace: polaris ---- -# Source: polaris/templates/dashboard.service.yaml -apiVersion: v1 -kind: Service -metadata: - name: polaris-dashboard - namespace: polaris - labels: - app: polaris -spec: - ports: - - name: dashboard - port: 80 - protocol: TCP - targetPort: 8080 - selector: - app: polaris - component: dashboard - type: ClusterIP ---- -# Source: polaris/templates/dashboard.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a' - name: polaris-dashboard - namespace: polaris - labels: - app: polaris - component: dashboard -spec: - replicas: 1 - selector: - matchLabels: - app: polaris - component: dashboard - template: - metadata: - labels: - app: polaris - component: dashboard - spec: - volumes: - - name: config - configMap: - name: polaris - containers: - - command: - - polaris - - --dashboard - - --config - - /opt/app/config.yaml - image: 'quay.io/reactiveops/polaris:0.1.5' - imagePullPolicy: 'Always' - name: dashboard - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true - serviceAccountName: polaris-dashboard ---- -# Source: polaris/templates/webhook.deployment.yaml - ---- -# Source: polaris/templates/webhook.rbac.yaml - ---- -# Source: polaris/templates/webhook.secret.yaml - ---- -# Source: polaris/templates/webhook.service.yaml - diff --git a/deploy/helm/polaris/Chart.yaml b/deploy/helm/polaris/Chart.yaml deleted file mode 100755 index 5209e239..00000000 --- a/deploy/helm/polaris/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Validation of best practices in your Kubernetes clusters -name: polaris -version: 0.1.5 diff --git a/deploy/helm/polaris/templates/0-namespace.yaml b/deploy/helm/polaris/templates/0-namespace.yaml deleted file mode 100644 index 83e3751b..00000000 --- a/deploy/helm/polaris/templates/0-namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{{- if .Values.templateOnly -}} -apiVersion: v1 -kind: Namespace -metadata: - name: {{ .Release.Namespace }} -{{- end -}} diff --git a/deploy/helm/polaris/templates/NOTES.txt b/deploy/helm/polaris/templates/NOTES.txt deleted file mode 100644 index 530bfdd6..00000000 --- a/deploy/helm/polaris/templates/NOTES.txt +++ /dev/null @@ -1,12 +0,0 @@ -** Please be patient while the chart is being deployed ** - -Enjoy Polaris and smooth sailing! - -{{- if contains "ClusterIP" .Values.dashboard.service.type }} - -## To view the dashboard execute these commands: - -kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "polaris.fullname" . }}-dashboard 8080:80 & -open http://localhost:8080 - -{{- end }} diff --git a/deploy/helm/polaris/templates/_helpers.tpl b/deploy/helm/polaris/templates/_helpers.tpl deleted file mode 100644 index 3a0af13a..00000000 --- a/deploy/helm/polaris/templates/_helpers.tpl +++ /dev/null @@ -1,56 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "polaris.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "polaris.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "polaris.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Standard labels -*/}} -{{- define "polaris.labels" -}} -app: {{ include "polaris.name" . }} -{{- if not .Values.templateOnly }} -app.kubernetes.io/name: {{ include "polaris.name" . }} -helm.sh/chart: {{ include "polaris.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} -{{- end -}} - -{{/* -Standard selector -*/}} -{{- define "polaris.selectors" -}} -app: {{ include "polaris.name" . }} -{{- if not .Values.templateOnly }} -app.kubernetes.io/name: {{ include "polaris.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/deploy/helm/polaris/templates/configmap.yaml b/deploy/helm/polaris/templates/configmap.yaml deleted file mode 100644 index ef96d527..00000000 --- a/deploy/helm/polaris/templates/configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "polaris.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -data: - config.yaml: {{- toYaml .Values.config | indent 2 -}} diff --git a/deploy/helm/polaris/templates/dashboard.deployment.yaml b/deploy/helm/polaris/templates/dashboard.deployment.yaml deleted file mode 100644 index 18e188cc..00000000 --- a/deploy/helm/polaris/templates/dashboard.deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if .Values.dashboard.enable -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' - name: {{ include "polaris.fullname" . }}-dashboard - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} - component: dashboard -spec: - replicas: {{.Values.dashboard.replicas}} - selector: - matchLabels: - {{- include "polaris.selectors" . | nindent 6 }} - component: dashboard - template: - metadata: - labels: - {{- include "polaris.selectors" . | nindent 8 }} - component: dashboard - spec: - volumes: - - name: config - configMap: - name: {{ include "polaris.fullname" . }} - containers: - - command: - - polaris - - --dashboard - - --config - - /opt/app/config.yaml - {{- with .Values.dashboard.clusterName }} - - --cluster-name - - {{ . }} - {{- end }} - image: '{{.Values.dashboard.image.repository}}:{{.Values.dashboard.image.tag}}' - imagePullPolicy: '{{.Values.dashboard.image.pullPolicy}}' - name: dashboard - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 20 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true - serviceAccountName: {{ include "polaris.fullname" . }}-dashboard -{{- end -}} diff --git a/deploy/helm/polaris/templates/dashboard.rbac.yaml b/deploy/helm/polaris/templates/dashboard.rbac.yaml deleted file mode 100644 index ea951db4..00000000 --- a/deploy/helm/polaris/templates/dashboard.rbac.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if and .Values.dashboard.enable .Values.rbac.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "polaris.fullname" . }}-dashboard - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: {{ include "polaris.fullname" . }}-dashboard - labels: - {{- include "polaris.labels" . | nindent 4 }} -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - 'deployments' - verbs: - - 'get' - - 'list' - - apiGroups: - - '' - resources: - - 'nodes' - - 'namespaces' - - 'pods' - verbs: - - 'get' - - 'list' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: {{ include "polaris.fullname" . }}-dashboard - labels: - {{- include "polaris.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "polaris.fullname" . }}-dashboard -subjects: - - kind: ServiceAccount - name: {{ include "polaris.fullname" . }}-dashboard - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/deploy/helm/polaris/templates/dashboard.service.yaml b/deploy/helm/polaris/templates/dashboard.service.yaml deleted file mode 100644 index 3f88346b..00000000 --- a/deploy/helm/polaris/templates/dashboard.service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if and .Values.dashboard.enable .Values.dashboard.service -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "polaris.fullname" . }}-dashboard - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -spec: - ports: - - name: dashboard - port: 80 - protocol: TCP - targetPort: 8080 - selector: - {{- include "polaris.selectors" . | nindent 4 }} - component: dashboard - type: {{ .Values.dashboard.service.type }} -{{- end -}} diff --git a/deploy/helm/polaris/templates/webhook.deployment.yaml b/deploy/helm/polaris/templates/webhook.deployment.yaml deleted file mode 100644 index 4002cbf6..00000000 --- a/deploy/helm/polaris/templates/webhook.deployment.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{- if .Values.webhook.enable -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' - name: {{ include "polaris.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} - component: webhook -spec: - replicas: {{ .Values.webhook.replicas }} - selector: - matchLabels: - {{- include "polaris.selectors" . | nindent 6 }} - component: webhook - template: - metadata: - labels: - {{- include "polaris.selectors" . | nindent 8 }} - component: webhook - spec: - containers: - - name: webhook - command: - - polaris - - --webhook - - --config - - /opt/app/config.yaml - image: '{{.Values.webhook.image.repository}}:{{.Values.webhook.image.tag}}' - imagePullPolicy: '{{.Values.webhook.image.pullPolicy}}' - ports: - - containerPort: 9876 - # These are fairly useless readiness/liveness probes for now - # Follow this issue for potential improvements: - # https://github.com/kubernetes-sigs/controller-runtime/issues/356 - livenessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true - - name: secret - mountPath: /opt/cert/ - readOnly: true - - name: cr-logs - mountPath: /tmp/ - readOnly: false - serviceAccountName: {{ include "polaris.fullname" . }}-webhook - volumes: - - name: config - configMap: - name: {{ include "polaris.fullname" . }} - - name: secret - secret: - secretName: polaris-webhook - - name: cr-logs - emptyDir: {} -{{- end -}} diff --git a/deploy/helm/polaris/templates/webhook.rbac.yaml b/deploy/helm/polaris/templates/webhook.rbac.yaml deleted file mode 100644 index 5e73ceec..00000000 --- a/deploy/helm/polaris/templates/webhook.rbac.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{- if and .Values.webhook.enable .Values.rbac.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "polaris.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: {{ include "polaris.fullname" . }}-webhook - labels: - {{- include "polaris.labels" . | nindent 4 }} -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - 'deployments' - verbs: - - 'get' - - 'list' - # required by controller-runtime code doing a cluster wide lookup - # when it seems namespace would suffice - - apiGroups: - - '' - resources: - - 'secrets' - - 'services' - verbs: - - 'get' - - 'list' - - 'watch' - - apiGroups: - - 'admissionregistration.k8s.io' - resources: - - 'validatingwebhookconfigurations' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: {{ include "polaris.fullname" . }}-webhook - labels: - {{- include "polaris.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "polaris.fullname" . }}-webhook -subjects: - - kind: ServiceAccount - name: {{ include "polaris.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: {{ include "polaris.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -rules: - # required for current controller-runtime bootstrap method - - apiGroups: - - '' - resources: - - 'secrets' - - 'services' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: {{ include "polaris.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "polaris.fullname" . }}-webhook -subjects: - - kind: ServiceAccount - name: {{ include "polaris.fullname" . }}-webhook - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/deploy/helm/polaris/templates/webhook.secret.yaml b/deploy/helm/polaris/templates/webhook.secret.yaml deleted file mode 100644 index 71f28ecb..00000000 --- a/deploy/helm/polaris/templates/webhook.secret.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.webhook.enable -}} -apiVersion: v1 -kind: Secret -metadata: - name: polaris-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -type: Opaque -stringData: - cert.pem: '' -{{- end -}} diff --git a/deploy/helm/polaris/templates/webhook.service.yaml b/deploy/helm/polaris/templates/webhook.service.yaml deleted file mode 100644 index b7049a09..00000000 --- a/deploy/helm/polaris/templates/webhook.service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.webhook.enable -}} -apiVersion: v1 -kind: Service -metadata: - name: polaris-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "polaris.labels" . | nindent 4 }} -spec: - ports: - - name: webhook - port: 443 - protocol: TCP - targetPort: 9876 - selector: - {{- include "polaris.selectors" . | nindent 4 }} - component: webhook - type: ClusterIP -{{- end -}} diff --git a/deploy/helm/polaris/values.yaml b/deploy/helm/polaris/values.yaml deleted file mode 100644 index 72d7bde7..00000000 --- a/deploy/helm/polaris/values.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -config: | - resources: - cpuRequestsMissing: warning - cpuLimitsMissing: warning - memoryRequestsMissing: warning - memoryLimitsMissing: warning - images: - tagNotSpecified: error - healthChecks: - readinessProbeMissing: warning - livenessProbeMissing: warning - networking: - hostNetworkSet: warning - hostPortSet: warning - security: - hostIPCSet: error - hostPIDSet: error - notReadOnlyRootFileSystem: warning - privilegeEscalationAllowed: error - runAsRootAllowed: warning - runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - -dashboard: - enable: true - replicas: 1 - service: - type: ClusterIP - image: - repository: quay.io/reactiveops/polaris - tag: 0.1.5 - pullPolicy: Always - -webhook: - enable: false - replicas: 1 - image: - repository: quay.io/reactiveops/polaris - tag: 0.1.5 - pullPolicy: Always - -rbac: - create: true - -templateOnly: false diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml deleted file mode 100644 index 1c431069..00000000 --- a/deploy/webhook.yaml +++ /dev/null @@ -1,280 +0,0 @@ ---- -# Source: polaris/templates/0-namespace.yaml -apiVersion: v1 -kind: Namespace -metadata: - name: polaris ---- -# Source: polaris/templates/webhook.secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -type: Opaque -stringData: - cert.pem: '' ---- -# Source: polaris/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: polaris - namespace: polaris - labels: - app: polaris -data: - config.yaml: | - resources: - cpuRequestsMissing: warning - cpuLimitsMissing: warning - memoryRequestsMissing: warning - memoryLimitsMissing: warning - images: - tagNotSpecified: error - healthChecks: - readinessProbeMissing: warning - livenessProbeMissing: warning - networking: - hostNetworkSet: warning - hostPortSet: warning - security: - hostIPCSet: error - hostPIDSet: error - notReadOnlyRootFileSystem: warning - privilegeEscalationAllowed: error - runAsRootAllowed: warning - runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - ---- -# Source: polaris/templates/webhook.rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: polaris-webhook - labels: - app: polaris -rules: - - apiGroups: - - 'apps' - - 'extensions' - resources: - - 'deployments' - verbs: - - 'get' - - 'list' - # required by controller-runtime code doing a cluster wide lookup - # when it seems namespace would suffice - - apiGroups: - - '' - resources: - - 'secrets' - - 'services' - verbs: - - 'get' - - 'list' - - 'watch' - - apiGroups: - - 'admissionregistration.k8s.io' - resources: - - 'validatingwebhookconfigurations' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: polaris-webhook - labels: - app: polaris -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: polaris-webhook -subjects: - - kind: ServiceAccount - name: polaris-webhook - namespace: polaris ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -rules: - # required for current controller-runtime bootstrap method - - apiGroups: - - '' - resources: - - 'secrets' - - 'services' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: polaris-webhook -subjects: - - kind: ServiceAccount - name: polaris-webhook - namespace: polaris ---- -# Source: polaris/templates/webhook.service.yaml -apiVersion: v1 -kind: Service -metadata: - name: polaris-webhook - namespace: polaris - labels: - app: polaris -spec: - ports: - - name: webhook - port: 443 - protocol: TCP - targetPort: 9876 - selector: - app: polaris - component: webhook - type: ClusterIP ---- -# Source: polaris/templates/webhook.deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - checksum/config: '6ec4a4dc87403cae67c01438398a5f1d4ef836ffeaf26a33b685c066b940495a' - name: polaris-webhook - namespace: polaris - labels: - app: polaris - component: webhook -spec: - replicas: 1 - selector: - matchLabels: - app: polaris - component: webhook - template: - metadata: - labels: - app: polaris - component: webhook - spec: - containers: - - name: webhook - command: - - polaris - - --webhook - - --config - - /opt/app/config.yaml - image: 'quay.io/reactiveops/polaris:0.1.5' - imagePullPolicy: 'Always' - ports: - - containerPort: 9876 - # These are fairly useless readiness/liveness probes for now - # Follow this issue for potential improvements: - # https://github.com/kubernetes-sigs/controller-runtime/issues/356 - livenessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - exec: - command: - - sh - - -c - - ps -ef | grep polaris - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 100m - memory: 128Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml - readOnly: true - - name: secret - mountPath: /opt/cert/ - readOnly: true - - name: cr-logs - mountPath: /tmp/ - readOnly: false - serviceAccountName: polaris-webhook - volumes: - - name: config - configMap: - name: polaris - - name: secret - secret: - secretName: polaris-webhook - - name: cr-logs - emptyDir: {} ---- -# Source: polaris/templates/dashboard.deployment.yaml - ---- -# Source: polaris/templates/dashboard.rbac.yaml - ---- -# Source: polaris/templates/dashboard.service.yaml -