From 92a5cd7104a09645294be227f903b266e3ce79f9 Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Tue, 15 Oct 2024 15:12:19 -0600 Subject: [PATCH 1/4] Standardize RBAC across all services: All services can have either Role/RoleBinding or ClusterRole/ClusterRoleBinding RBAC objects. The default is Role/RoleBinding. All Tinkerbell services use controller-runtime for Kubernetes interactions. In controller-runtime, if Role/RoleBinding is used, then a Kubernetes namespace is required. If ClusterRole/ClusterRoleBinding is used, then no namespace should be specified. Each service has been updated to toggle its corresponding CLI flag for setting the namespace based on the RBAC type. Signed-off-by: Jacob Weinstock --- tinkerbell/hegel/Chart.yaml | 3 +- tinkerbell/hegel/templates/deployment.yaml | 3 + tinkerbell/hegel/templates/role.yaml | 27 +- tinkerbell/hegel/templates/rolebinding.yaml | 10 +- tinkerbell/hegel/values.schema.json | 142 ++++++ tinkerbell/hegel/values.yaml | 6 +- tinkerbell/rufio/Chart.yaml | 5 +- tinkerbell/rufio/templates/cluster-role.yaml | 94 ---- tinkerbell/rufio/templates/deployment.yaml | 3 + ...er-role-binding.yaml => role-binding.yaml} | 11 +- tinkerbell/rufio/templates/role.yaml | 19 + tinkerbell/rufio/values.schema.json | 126 ++++++ tinkerbell/rufio/values.yaml | 7 +- tinkerbell/smee/Chart.yaml | 5 +- .../smee/templates/cluster-role-binding.yaml | 14 - tinkerbell/smee/templates/cluster-role.yaml | 25 -- tinkerbell/smee/templates/deployment.yaml | 2 + tinkerbell/smee/templates/role-binding.yaml | 17 + tinkerbell/smee/templates/role.yaml | 13 + tinkerbell/smee/values.schema.json | 403 ++++++++++++++++++ tinkerbell/smee/values.yaml | 8 +- tinkerbell/stack/Chart.lock | 12 +- tinkerbell/stack/Chart.yaml | 9 +- tinkerbell/stack/values.yaml | 13 +- tinkerbell/tink/Chart.yaml | 3 +- .../tink-controller/cluster-role-binding.yaml | 14 - .../tink-controller/cluster-role.yaml | 41 -- .../templates/tink-controller/deployment.yaml | 5 +- .../tink-controller/role-binding.yaml | 17 + .../tink/templates/tink-controller/role.yaml | 46 ++ .../tink-server/cluster-role-binding.yaml | 14 - .../templates/tink-server/deployment.yaml | 3 + .../templates/tink-server/role-binding.yaml | 17 + .../{cluster-role.yaml => role.yaml} | 14 +- tinkerbell/tink/values.schema.json | 267 ++++++++++++ tinkerbell/tink/values.yaml | 12 +- 36 files changed, 1157 insertions(+), 273 deletions(-) create mode 100644 tinkerbell/hegel/values.schema.json delete mode 100644 tinkerbell/rufio/templates/cluster-role.yaml rename tinkerbell/rufio/templates/{cluster-role-binding.yaml => role-binding.yaml} (50%) create mode 100644 tinkerbell/rufio/templates/role.yaml create mode 100644 tinkerbell/rufio/values.schema.json delete mode 100644 tinkerbell/smee/templates/cluster-role-binding.yaml delete mode 100644 tinkerbell/smee/templates/cluster-role.yaml create mode 100644 tinkerbell/smee/templates/role-binding.yaml create mode 100644 tinkerbell/smee/templates/role.yaml create mode 100644 tinkerbell/smee/values.schema.json delete mode 100644 tinkerbell/tink/templates/tink-controller/cluster-role-binding.yaml delete mode 100644 tinkerbell/tink/templates/tink-controller/cluster-role.yaml create mode 100644 tinkerbell/tink/templates/tink-controller/role-binding.yaml create mode 100644 tinkerbell/tink/templates/tink-controller/role.yaml delete mode 100644 tinkerbell/tink/templates/tink-server/cluster-role-binding.yaml create mode 100644 tinkerbell/tink/templates/tink-server/role-binding.yaml rename tinkerbell/tink/templates/tink-server/{cluster-role.yaml => role.yaml} (71%) create mode 100644 tinkerbell/tink/values.schema.json diff --git a/tinkerbell/hegel/Chart.yaml b/tinkerbell/hegel/Chart.yaml index 8c3d0dbd..ef086b75 100644 --- a/tinkerbell/hegel/Chart.yaml +++ b/tinkerbell/hegel/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: hegel description: An instance metadata service +icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png # A chart can be either an 'application' or a 'library' chart. # @@ -15,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.3.6 +version: 0.4.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/tinkerbell/hegel/templates/deployment.yaml b/tinkerbell/hegel/templates/deployment.yaml index 519275d2..752db992 100644 --- a/tinkerbell/hegel/templates/deployment.yaml +++ b/tinkerbell/hegel/templates/deployment.yaml @@ -32,6 +32,9 @@ spec: - args: - --backend=kubernetes - --http-addr=:{{ .Values.deployment.port }} + {{- if eq .Values.rbac.type "Role"}} + - --kubernetes-namespace={{ .Release.Namespace }} + {{- end }} {{- range .Values.args }} - {{ . }} {{- end }} diff --git a/tinkerbell/hegel/templates/role.yaml b/tinkerbell/hegel/templates/role.yaml index 7682d103..0525a30a 100644 --- a/tinkerbell/hegel/templates/role.yaml +++ b/tinkerbell/hegel/templates/role.yaml @@ -1,26 +1,13 @@ {{- if .Values.deploy }} apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: {{ .Values.rbac.type }} metadata: - name: {{ .Values.roleName }} + name: {{ .Values.rbac.name }} + {{- if eq .Values.rbac.type "Role" }} namespace: {{ .Release.Namespace | quote }} + {{- end }} rules: - - apiGroups: - - tinkerbell.org - resources: - - hardware - - hardware/status - verbs: - - get - - list - - watch - - apiGroups: - - tinkerbell.org - resources: - - workflows - - workflows/status - verbs: - - get - - list - - watch + - apiGroups: ["tinkerbell.org"] + resources: ["hardware", "hardware/status"] + verbs: ["get", "watch", "list"] {{- end }} diff --git a/tinkerbell/hegel/templates/rolebinding.yaml b/tinkerbell/hegel/templates/rolebinding.yaml index 523b9e95..630950dc 100644 --- a/tinkerbell/hegel/templates/rolebinding.yaml +++ b/tinkerbell/hegel/templates/rolebinding.yaml @@ -1,13 +1,15 @@ {{- if .Values.deploy }} apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: {{ printf "%sBinding" .Values.rbac.type }} metadata: - name: {{ .Values.roleBindingName }} + name: {{ .Values.rbac.bindingName }} + {{- if eq .Values.rbac.type "Role" }} namespace: {{ .Release.Namespace | quote }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Values.roleName }} + kind: {{ .Values.rbac.type }} + name: {{ .Values.rbac.name }} subjects: - kind: ServiceAccount name: {{ .Values.name }} diff --git a/tinkerbell/hegel/values.schema.json b/tinkerbell/hegel/values.schema.json new file mode 100644 index 00000000..6c7bfac1 --- /dev/null +++ b/tinkerbell/hegel/values.schema.json @@ -0,0 +1,142 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "properties": { + "deploy": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "service": { + "type": "object", + "properties": { + "port": { + "type": "integer" + } + }, + "required": [ + "port" + ] + }, + "deployment": { + "type": "object", + "properties": { + "port": { + "type": "integer" + }, + "portName": { + "type": "string" + } + }, + "required": [ + "port", + "portName" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + } + }, + "required": [ + "limits", + "requests" + ] + }, + "rbac": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": ["Role", "ClusterRole"] + }, + "name": { + "type": "string" + }, + "bindingName": { + "type": "string" + } + }, + "required": [ + "type", + "name", + "bindingName" + ] + }, + "nodeSelector": { + "type": "object" + }, + "trustedProxies": { + "type": "array", + "items": {} + }, + "singleNodeClusterConfig": { + "type": "object", + "properties": { + "controlPlaneTolerationsEnabled": { + "type": "boolean" + }, + "nodeAffinityWeight": { + "type": "integer" + } + }, + "required": [ + "controlPlaneTolerationsEnabled", + "nodeAffinityWeight" + ] + } + }, + "required": [ + "deploy", + "name", + "image", + "imagePullPolicy", + "replicas", + "service", + "deployment", + "resources", + "rbac", + "nodeSelector", + "trustedProxies", + "singleNodeClusterConfig" + ] + } diff --git a/tinkerbell/hegel/values.yaml b/tinkerbell/hegel/values.yaml index b2f88273..5667d9c3 100644 --- a/tinkerbell/hegel/values.yaml +++ b/tinkerbell/hegel/values.yaml @@ -15,8 +15,10 @@ resources: requests: cpu: 10m memory: 64Mi -roleName: hegel-role -roleBindingName: hegel-rolebinding +rbac: + type: Role # or ClusterRole + name: hegel-role # or hegel-cluster-role + bindingName: hegel-rolebinding # or hegel-cluster-rolebinding nodeSelector: {} # Trusted proxies defines a list of IP or CIDR ranges that are allowed to set the X-Forwarded-For diff --git a/tinkerbell/rufio/Chart.yaml b/tinkerbell/rufio/Chart.yaml index f0f63c1d..5b6622cb 100644 --- a/tinkerbell/rufio/Chart.yaml +++ b/tinkerbell/rufio/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: rufio -description: A Helm chart for Kubernetes +description: Rufio handles BMC interactions for Tinkerbell +icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png # A chart can be either an 'application' or a 'library' chart. # @@ -15,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.10 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/tinkerbell/rufio/templates/cluster-role.yaml b/tinkerbell/rufio/templates/cluster-role.yaml deleted file mode 100644 index 30986344..00000000 --- a/tinkerbell/rufio/templates/cluster-role.yaml +++ /dev/null @@ -1,94 +0,0 @@ -{{- if .Values.deploy }}--- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: {{ .Values.managerRoleName }} -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch -- apiGroups: - - bmc.tinkerbell.org - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - bmc.tinkerbell.org - resources: - - jobs/finalizers - verbs: - - update -- apiGroups: - - bmc.tinkerbell.org - resources: - - jobs/status - verbs: - - get - - patch - - update -- apiGroups: - - bmc.tinkerbell.org - resources: - - machines - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - bmc.tinkerbell.org - resources: - - machines/finalizers - verbs: - - update -- apiGroups: - - bmc.tinkerbell.org - resources: - - machines/status - verbs: - - get - - patch - - update -- apiGroups: - - bmc.tinkerbell.org - resources: - - tasks - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - bmc.tinkerbell.org - resources: - - tasks/finalizers - verbs: - - update -- apiGroups: - - bmc.tinkerbell.org - resources: - - tasks/status - verbs: - - get - - patch - - update -{{- end }} diff --git a/tinkerbell/rufio/templates/deployment.yaml b/tinkerbell/rufio/templates/deployment.yaml index 0ccf8f00..a053abe8 100644 --- a/tinkerbell/rufio/templates/deployment.yaml +++ b/tinkerbell/rufio/templates/deployment.yaml @@ -41,6 +41,9 @@ spec: - /manager args: - --leader-elect + {{- if eq .Values.rbac.type "Role" }} + - -kube-namespace={{ .Release.Namespace }} + {{- end }} {{- range .Values.additionalArgs }} - {{ . }} {{- end }} diff --git a/tinkerbell/rufio/templates/cluster-role-binding.yaml b/tinkerbell/rufio/templates/role-binding.yaml similarity index 50% rename from tinkerbell/rufio/templates/cluster-role-binding.yaml rename to tinkerbell/rufio/templates/role-binding.yaml index bdcd2225..03df9687 100644 --- a/tinkerbell/rufio/templates/cluster-role-binding.yaml +++ b/tinkerbell/rufio/templates/role-binding.yaml @@ -1,12 +1,15 @@ {{- if .Values.deploy }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: {{ printf "%sBinding" .Values.rbac.type }} metadata: - name: {{ .Values.managerRoleBindingName }} + name: {{ .Values.rbac.bindingName }} + {{- if eq .Values.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.managerRoleName }} + kind: {{ .Values.rbac.type }} + name: {{ .Values.rbac.name }} subjects: - kind: ServiceAccount name: {{ .Values.serviceAccountName }} diff --git a/tinkerbell/rufio/templates/role.yaml b/tinkerbell/rufio/templates/role.yaml new file mode 100644 index 00000000..862d35d7 --- /dev/null +++ b/tinkerbell/rufio/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ .Values.rbac.type }} +metadata: + name: {{ .Values.rbac.name }} + {{- if eq .Values.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["bmc.tinkerbell.org"] + resources: ["jobs", "jobs/status", "machines", "machines/status", "tasks", "tasks/status"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] +- apiGroups: ["bmc.tinkerbell.org"] + resources: ["jobs/finalizers", "machines/finalizers", "tasks/finalizers"] + verbs: ["update"] +{{- end }} diff --git a/tinkerbell/rufio/values.schema.json b/tinkerbell/rufio/values.schema.json new file mode 100644 index 00000000..59a142b8 --- /dev/null +++ b/tinkerbell/rufio/values.schema.json @@ -0,0 +1,126 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "properties": { + "deploy": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "resources": { + "type": "object", + "properties": { + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + }, + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + } + }, + "required": [ + "requests", + "limits" + ] + }, + "additionalArgs": { + "type": "array", + "items": {} + }, + "serviceAccountName": { + "type": "string" + }, + "rufioLeaderElectionRoleName": { + "type": "string" + }, + "rufioLeaderElectionRoleBindingName": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "hostNetwork": { + "type": "boolean" + }, + "singleNodeClusterConfig": { + "type": "object", + "properties": { + "controlPlaneTolerationsEnabled": { + "type": "boolean" + }, + "nodeAffinityWeight": { + "type": "integer" + } + }, + "required": [ + "controlPlaneTolerationsEnabled", + "nodeAffinityWeight" + ] + }, + "rbac": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": ["Role", "ClusterRole"] + }, + "name": { + "type": "string" + }, + "bindingName": { + "type": "string" + } + }, + "required": [ + "type", + "name", + "bindingName" + ] + } + }, + "required": [ + "deploy", + "name", + "image", + "imagePullPolicy", + "resources", + "additionalArgs", + "serviceAccountName", + "rufioLeaderElectionRoleName", + "rufioLeaderElectionRoleBindingName", + "nodeSelector", + "hostNetwork", + "singleNodeClusterConfig", + "rbac" + ] + } diff --git a/tinkerbell/rufio/values.yaml b/tinkerbell/rufio/values.yaml index ebd487e9..7af842c2 100644 --- a/tinkerbell/rufio/values.yaml +++ b/tinkerbell/rufio/values.yaml @@ -12,12 +12,15 @@ resources: additionalArgs: [] serviceAccountName: rufio-controller-manager rufioLeaderElectionRoleName: rufio-leader-election-role -managerRoleName: rufio-manager-role rufioLeaderElectionRoleBindingName: rufio-leader-election-rolebinding -managerRoleBindingName: rufio-manager-rolebinding nodeSelector: {} hostNetwork: false # singleNodeClusterConfig to add tolerations for deployments on control plane nodes. This is defaulted to false. singleNodeClusterConfig: controlPlaneTolerationsEnabled: false nodeAffinityWeight: 1 + +rbac: + type: Role # or ClusterRole + name: rufio-role # or rufio-cluster-role + bindingName: rufio-rolebinding # or rufio-cluster-rolebinding diff --git a/tinkerbell/smee/Chart.yaml b/tinkerbell/smee/Chart.yaml index 1b6d1b4c..d1f4f798 100644 --- a/tinkerbell/smee/Chart.yaml +++ b/tinkerbell/smee/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: smee -description: A Helm chart for Kubernetes +description: Smee is the network boot service for Tinkerbell +icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png # A chart can be either an 'application' or a 'library' chart. # @@ -15,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.4.1 +version: 0.5.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/tinkerbell/smee/templates/cluster-role-binding.yaml b/tinkerbell/smee/templates/cluster-role-binding.yaml deleted file mode 100644 index 0445fb85..00000000 --- a/tinkerbell/smee/templates/cluster-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.deploy }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Values.roleBindingName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.roleName }} -subjects: - - kind: ServiceAccount - name: {{ .Values.name }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} diff --git a/tinkerbell/smee/templates/cluster-role.yaml b/tinkerbell/smee/templates/cluster-role.yaml deleted file mode 100644 index 4e49516e..00000000 --- a/tinkerbell/smee/templates/cluster-role.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.deploy }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Values.roleName }} -rules: - - apiGroups: - - tinkerbell.org - resources: - - hardware - - hardware/status - verbs: - - get - - list - - watch - - apiGroups: - - tinkerbell.org - resources: - - workflows - - workflows/status - verbs: - - get - - list - - watch -{{- end }} diff --git a/tinkerbell/smee/templates/deployment.yaml b/tinkerbell/smee/templates/deployment.yaml index 5c9035f0..06f0ba90 100644 --- a/tinkerbell/smee/templates/deployment.yaml +++ b/tinkerbell/smee/templates/deployment.yaml @@ -42,7 +42,9 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} args: - -log-level={{ .Values.logLevel }} + {{- if eq .Values.rbac.type "Role"}} - -backend-kube-namespace={{ .Release.Namespace }} + {{- end }} - -dhcp-addr={{ printf "%v:%v" .Values.dhcp.ip .Values.dhcp.port }} - -dhcp-enabled={{ .Values.dhcp.enabled }} - -dhcp-tftp-port={{ .Values.dhcp.tftpPort }} diff --git a/tinkerbell/smee/templates/role-binding.yaml b/tinkerbell/smee/templates/role-binding.yaml new file mode 100644 index 00000000..630950dc --- /dev/null +++ b/tinkerbell/smee/templates/role-binding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ printf "%sBinding" .Values.rbac.type }} +metadata: + name: {{ .Values.rbac.bindingName }} + {{- if eq .Values.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .Values.rbac.type }} + name: {{ .Values.rbac.name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.name }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/tinkerbell/smee/templates/role.yaml b/tinkerbell/smee/templates/role.yaml new file mode 100644 index 00000000..e74aaa0c --- /dev/null +++ b/tinkerbell/smee/templates/role.yaml @@ -0,0 +1,13 @@ +{{- if .Values.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ .Values.rbac.type }} +metadata: + name: {{ .Values.rbac.name }} + {{- if eq .Values.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +rules: + - apiGroups: ["tinkerbell.org"] + resources: ["hardware", "hardware/status"] + verbs: ["get", "list", "watch"] +{{- end }} diff --git a/tinkerbell/smee/values.schema.json b/tinkerbell/smee/values.schema.json new file mode 100644 index 00000000..abee8be7 --- /dev/null +++ b/tinkerbell/smee/values.schema.json @@ -0,0 +1,403 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "properties": { + "deploy": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + } + }, + "required": [ + "limits", + "requests" + ] + }, + "deployment": { + "type": "object", + "properties": { + "strategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + }, + "required": [ + "type" + ] + } + }, + "required": [ + "strategy" + ] + }, + "logLevel": { + "type": "string" + }, + "hostNetwork": { + "type": "boolean" + }, + "nodeSelector": { + "type": "object" + }, + "publicIP": { + "type": "string" + }, + "dhcp": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "mode": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "ipForPacket": { + "type": "string" + }, + "tftpIp": { + "type": "string" + }, + "tftpPort": { + "type": "integer" + }, + "syslogIp": { + "type": "string" + }, + "httpIPXE": { + "type": "object", + "properties": { + "binaryUrl": { + "type": "object", + "properties": { + "scheme": { + "type": "string" + }, + "host": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "scheme", + "host", + "port", + "path" + ] + }, + "scriptUrl": { + "type": "object", + "properties": { + "scheme": { + "type": "string" + }, + "host": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "scheme", + "host", + "port", + "path" + ] + } + }, + "required": [ + "binaryUrl", + "scriptUrl" + ] + } + }, + "required": [ + "enabled", + "name", + "mode", + "ip", + "port", + "ipForPacket", + "tftpIp", + "tftpPort", + "syslogIp", + "httpIPXE" + ] + }, + "tftp": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "timeout": { + "type": "string" + } + }, + "required": [ + "enabled", + "name", + "ip", + "port", + "timeout" + ] + }, + "http": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "tinkServer": { + "type": "object", + "properties": { + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "type": "boolean" + } + }, + "required": [ + "ip", + "port", + "tls" + ] + }, + "osieUrl": { + "type": "object", + "properties": { + "scheme": { + "type": "string" + }, + "host": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "path": { + "type": "string" + } + }, + "required": [ + "scheme", + "host", + "port", + "path" + ] + }, + "additionalKernelArgs": { + "type": "array", + "items": {} + }, + "ipxeBinaryEnabled": { + "type": "boolean" + }, + "ipxeScriptEnabled": { + "type": "boolean" + }, + "trustedProxies": { + "type": "array", + "items": {} + } + }, + "required": [ + "enabled", + "name", + "ip", + "port", + "tinkServer", + "osieUrl", + "additionalKernelArgs", + "ipxeBinaryEnabled", + "ipxeScriptEnabled", + "trustedProxies" + ] + }, + "syslog": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "port": { + "type": "integer" + } + }, + "required": [ + "enabled", + "name", + "ip", + "port" + ] + }, + "tinkWorkerImage": { + "type": "string" + }, + "additionalArgs": { + "type": "array", + "items": {} + }, + "additionalEnv": { + "type": "array", + "items": {} + }, + "singleNodeClusterConfig": { + "type": "object", + "properties": { + "controlPlaneTolerationsEnabled": { + "type": "boolean" + }, + "nodeAffinityWeight": { + "type": "integer" + } + }, + "required": [ + "controlPlaneTolerationsEnabled", + "nodeAffinityWeight" + ] + }, + "additionalVolumes": { + "type": "array", + "items": {} + }, + "additionalVolumeMounts": { + "type": "array", + "items": {} + }, + "rbac": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": ["Role", "ClusterRole"] + }, + "name": { + "type": "string" + }, + "bindingName": { + "type": "string" + } + }, + "required": [ + "type", + "name", + "bindingName" + ] + } + }, + "required": [ + "deploy", + "name", + "image", + "imagePullPolicy", + "replicas", + "resources", + "deployment", + "logLevel", + "hostNetwork", + "nodeSelector", + "publicIP", + "dhcp", + "tftp", + "http", + "syslog", + "tinkWorkerImage", + "additionalArgs", + "additionalEnv", + "singleNodeClusterConfig", + "additionalVolumes", + "additionalVolumeMounts", + "rbac" + ] + } diff --git a/tinkerbell/smee/values.yaml b/tinkerbell/smee/values.yaml index f8f9f282..046f0927 100644 --- a/tinkerbell/smee/values.yaml +++ b/tinkerbell/smee/values.yaml @@ -20,9 +20,6 @@ resources: cpu: 10m memory: 64Mi -roleName: smee-role -roleBindingName: smee-rolebinding - deployment: strategy: type: RollingUpdate @@ -149,3 +146,8 @@ additionalVolumeMounts: [ ] # - name: foo # mountPath: "/etc/foo" # readOnly: true + +rbac: + type: Role # or ClusterRole + name: smee-role # or smee-cluster-role + bindingName: smee-rolebinding # or smee-cluster-rolebinding diff --git a/tinkerbell/stack/Chart.lock b/tinkerbell/stack/Chart.lock index 6adffbb2..e9f24776 100644 --- a/tinkerbell/stack/Chart.lock +++ b/tinkerbell/stack/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: tink repository: file://../tink - version: 0.2.5 + version: 0.3.0 - name: smee repository: file://../smee - version: 0.4.1 + version: 0.5.0 - name: rufio repository: file://../rufio - version: 0.2.10 + version: 0.3.0 - name: hegel repository: file://../hegel - version: 0.3.6 -digest: sha256:07f82fcf3c90ae52de1f7a1e9fd355c686b0fd4ae6473347751752306ae2d2d8 -generated: "2024-09-02T09:56:16.704865595-06:00" + version: 0.4.0 +digest: sha256:dc14a7d42c5a6e4d4c34c2ad54377b8eb523855f45501d97131034d801d0511a +generated: "2024-10-15T10:54:54.593461345-06:00" diff --git a/tinkerbell/stack/Chart.yaml b/tinkerbell/stack/Chart.yaml index 7108e5c2..952d3368 100644 --- a/tinkerbell/stack/Chart.yaml +++ b/tinkerbell/stack/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: stack description: A Helm chart for Kubernetes +icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png # A chart can be either an 'application' or a 'library' chart. # @@ -25,14 +26,14 @@ appVersion: "0.5.0" dependencies: - name: tink - version: "0.2.5" + version: "0.3.0" repository: "file://../tink" - name: smee - version: "0.4.1" + version: "0.5.0" repository: "file://../smee" - name: rufio - version: "0.2.10" + version: "0.3.0" repository: "file://../rufio" - name: hegel - version: "0.3.6" + version: "0.4.0" repository: "file://../hegel" diff --git a/tinkerbell/stack/values.yaml b/tinkerbell/stack/values.yaml index 50f78c2c..92106209 100644 --- a/tinkerbell/stack/values.yaml +++ b/tinkerbell/stack/values.yaml @@ -14,6 +14,7 @@ stack: clusterDomain: cluster.local # &publicIP is a YAML anchor. It allows us to define a value once and reference it multiple times. # https://helm.sh/docs/chart_template_guide/yaml_techniques/#yaml-anchors + # If --set is used for loadBalancerIP, it will not be reflected in the references to the yaml anchor. loadBalancerIP: &publicIP 192.168.2.112 lbClass: kube-vip.io/kube-vip-class # Once the Kubernetes Gateway API is more stable, we will use that for all services instead of nginx. @@ -82,20 +83,20 @@ stack: # See individual chart documentation for additional detail. smee: - image: quay.io/tinkerbell/smee:v0.12.0 - tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.10.0 + image: reg.weinstocklabs.com/tinkerbell/smee:rbac + tinkWorkerImage: quay.io/tinkerbell/tink-worker trustedProxies: [] publicIP: *publicIP hegel: - image: quay.io/tinkerbell/hegel:v0.12.0 + image: quay.io/tinkerbell/hegel:sha-3ddcc60 trustedProxies: [] rufio: - image: quay.io/tinkerbell/rufio:v0.3.3 + image: quay.io/tinkerbell/rufio:sha-6180ef3 tink: controller: - image: quay.io/tinkerbell/tink-controller:v0.10.0 + image: quay.io/tinkerbell/tink-controller:sha-8c7a9c89 server: - image: quay.io/tinkerbell/tink:v0.10.0 + image: quay.io/tinkerbell/tink:sha-8c7a9c89 diff --git a/tinkerbell/tink/Chart.yaml b/tinkerbell/tink/Chart.yaml index e5691925..8d14cff6 100644 --- a/tinkerbell/tink/Chart.yaml +++ b/tinkerbell/tink/Chart.yaml @@ -1,6 +1,7 @@ apiVersion: v2 name: tink description: A Helm chart for Kubernetes +icon: https://github.com/tinkerbell/artwork/blob/6f07de53d75cb8932dbc7d14201e038cf3a3b230/Tinkerbell-Icon-Dark.png # A chart can be either an 'application' or a 'library' chart. # @@ -15,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.5 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/tinkerbell/tink/templates/tink-controller/cluster-role-binding.yaml b/tinkerbell/tink/templates/tink-controller/cluster-role-binding.yaml deleted file mode 100644 index ab5d106c..00000000 --- a/tinkerbell/tink/templates/tink-controller/cluster-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.controller.deploy }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Values.controller.roleBindingName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.controller.roleName }} -subjects: - - kind: ServiceAccount - name: {{ .Values.controller.name }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} diff --git a/tinkerbell/tink/templates/tink-controller/cluster-role.yaml b/tinkerbell/tink/templates/tink-controller/cluster-role.yaml deleted file mode 100644 index 7570615f..00000000 --- a/tinkerbell/tink/templates/tink-controller/cluster-role.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if .Values.controller.deploy }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Values.controller.roleName }} -rules: - - apiGroups: - - tinkerbell.org - resources: - - hardware - - hardware/status - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - tinkerbell.org - resources: - - templates - - templates/status - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - tinkerbell.org - resources: - - workflows - - workflows/status - verbs: - - delete - - get - - list - - patch - - update - - watch -{{- end }} diff --git a/tinkerbell/tink/templates/tink-controller/deployment.yaml b/tinkerbell/tink/templates/tink-controller/deployment.yaml index 13d6723b..25dcebb5 100644 --- a/tinkerbell/tink/templates/tink-controller/deployment.yaml +++ b/tinkerbell/tink/templates/tink-controller/deployment.yaml @@ -24,7 +24,10 @@ spec: - image: {{ .Values.controller.image }} imagePullPolicy: {{ .Values.controller.imagePullPolicy }} {{- if .Values.controller.args }} - args: + args: + {{- if eq .Values.controller.rbac.type "Role" }} + - --kube-namespace={{ .Release.Namespace }} + {{- end }} {{- range .Values.controller.args }} - {{ . }} {{- end }} diff --git a/tinkerbell/tink/templates/tink-controller/role-binding.yaml b/tinkerbell/tink/templates/tink-controller/role-binding.yaml new file mode 100644 index 00000000..dfc4061a --- /dev/null +++ b/tinkerbell/tink/templates/tink-controller/role-binding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.controller.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ .Values.controller.rbac.type }}Binding +metadata: + name: {{ .Values.controller.rbac.bindingName }} + {{- if eq .Values.controller.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .Values.controller.rbac.type }} + name: {{ .Values.controller.rbac.name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/tinkerbell/tink/templates/tink-controller/role.yaml b/tinkerbell/tink/templates/tink-controller/role.yaml new file mode 100644 index 00000000..a82c59c0 --- /dev/null +++ b/tinkerbell/tink/templates/tink-controller/role.yaml @@ -0,0 +1,46 @@ +{{- if .Values.controller.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ .Values.controller.rbac.type }} +metadata: + name: {{ .Values.controller.rbac.name }} + {{- if eq .Values.controller.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +rules: +- apiGroups: + - bmc.tinkerbell.org + resources: + - job + - job/status + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - tinkerbell.org + resources: + - hardware + - hardware/status + - templates + - templates/status + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - tinkerbell.org + resources: + - workflows + - workflows/status + verbs: + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/tinkerbell/tink/templates/tink-server/cluster-role-binding.yaml b/tinkerbell/tink/templates/tink-server/cluster-role-binding.yaml deleted file mode 100644 index b8d1c17d..00000000 --- a/tinkerbell/tink/templates/tink-server/cluster-role-binding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.server.deploy }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Values.server.roleBindingName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.server.roleName }} -subjects: - - kind: ServiceAccount - name: {{ .Values.server.name }} - namespace: {{ .Release.Namespace | quote }} -{{- end }} diff --git a/tinkerbell/tink/templates/tink-server/deployment.yaml b/tinkerbell/tink/templates/tink-server/deployment.yaml index ef380263..2f10fc26 100644 --- a/tinkerbell/tink/templates/tink-server/deployment.yaml +++ b/tinkerbell/tink/templates/tink-server/deployment.yaml @@ -31,6 +31,9 @@ spec: containers: - args: - --backend=kubernetes + {{- if eq .Values.server.rbac.type "Role"}} + - --kube-namespace={{ .Release.Namespace }} + {{- end }} {{- range .Values.server.args }} - {{ . }} {{- end }} diff --git a/tinkerbell/tink/templates/tink-server/role-binding.yaml b/tinkerbell/tink/templates/tink-server/role-binding.yaml new file mode 100644 index 00000000..af82f036 --- /dev/null +++ b/tinkerbell/tink/templates/tink-server/role-binding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.server.deploy }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ printf "%sBinding" .Values.server.rbac.type }} +metadata: + name: {{ .Values.server.rbac.bindingName }} + {{- if eq .Values.server.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: {{ .Values.server.rbac.type }} + name: {{ .Values.server.rbac.name }} +subjects: + - kind: ServiceAccount + name: {{ .Values.server.name }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/tinkerbell/tink/templates/tink-server/cluster-role.yaml b/tinkerbell/tink/templates/tink-server/role.yaml similarity index 71% rename from tinkerbell/tink/templates/tink-server/cluster-role.yaml rename to tinkerbell/tink/templates/tink-server/role.yaml index ddb4d266..36d55a91 100644 --- a/tinkerbell/tink/templates/tink-server/cluster-role.yaml +++ b/tinkerbell/tink/templates/tink-server/role.yaml @@ -1,21 +1,17 @@ {{- if .Values.server.deploy }} apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: {{ .Values.server.rbac.type }} metadata: - name: {{ .Values.server.roleName }} + name: {{ .Values.server.rbac.name }} + {{- if eq .Values.server.rbac.type "Role" }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} rules: - apiGroups: - tinkerbell.org resources: - hardware - hardware/status - verbs: - - get - - list - - watch - - apiGroups: - - tinkerbell.org - resources: - templates - templates/status verbs: diff --git a/tinkerbell/tink/values.schema.json b/tinkerbell/tink/values.schema.json new file mode 100644 index 00000000..b1485f1e --- /dev/null +++ b/tinkerbell/tink/values.schema.json @@ -0,0 +1,267 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "type": "object", + "$comment": "This file was generated and then modified.", + "properties": { + "controller": { + "type": "object", + "properties": { + "deploy": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "args": { + "type": "array", + "items": {} + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + } + }, + "required": [ + "limits", + "requests" + ] + }, + "tinkLeaderElectionRoleName": { + "type": "string" + }, + "tinkLeaderElectionRoleBindingName": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "singleNodeClusterConfig": { + "type": "object", + "properties": { + "controlPlaneTolerationsEnabled": { + "type": "boolean" + }, + "weight": { + "type": "integer" + } + }, + "required": [ + "controlPlaneTolerationsEnabled", + "weight" + ] + }, + "rbac": { + "type": "object", + "properties": { + "type": { + "type": "string" + }, + "name": { + "type": "string" + }, + "bindingName": { + "type": "string" + } + }, + "required": [ + "type", + "name", + "bindingName" + ] + } + }, + "required": [ + "deploy", + "name", + "image", + "imagePullPolicy", + "replicas", + "args", + "resources", + "tinkLeaderElectionRoleName", + "tinkLeaderElectionRoleBindingName", + "nodeSelector", + "singleNodeClusterConfig", + "rbac" + ] + }, + "server": { + "type": "object", + "properties": { + "deploy": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "image": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string" + }, + "replicas": { + "type": "integer" + }, + "service": { + "type": "object", + "properties": { + "port": { + "type": "integer" + } + }, + "required": [ + "port" + ] + }, + "deployment": { + "type": "object", + "properties": { + "port": { + "type": "integer" + }, + "portName": { + "type": "string" + } + }, + "required": [ + "port", + "portName" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ] + } + }, + "required": [ + "limits", + "requests" + ] + }, + "nodeSelector": { + "type": "object" + }, + "singleNodeClusterConfig": { + "type": "object", + "properties": { + "controlPlaneTolerationsEnabled": { + "type": "boolean" + }, + "nodeAffinityWeight": { + "type": "integer" + } + }, + "required": [ + "controlPlaneTolerationsEnabled", + "nodeAffinityWeight" + ] + }, + "rbac": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": ["Role", "ClusterRole"] + }, + "name": { + "type": "string" + }, + "bindingName": { + "type": "string" + } + }, + "required": [ + "type", + "name", + "bindingName" + ] + } + }, + "required": [ + "deploy", + "name", + "image", + "imagePullPolicy", + "replicas", + "service", + "deployment", + "resources", + "nodeSelector", + "singleNodeClusterConfig", + "rbac" + ] + } + }, + "required": [ + "controller", + "server" + ] + } diff --git a/tinkerbell/tink/values.yaml b/tinkerbell/tink/values.yaml index bd6a2c76..7259bfa8 100644 --- a/tinkerbell/tink/values.yaml +++ b/tinkerbell/tink/values.yaml @@ -12,8 +12,6 @@ controller: requests: cpu: 10m memory: 64Mi - roleName: tink-controller-manager-role - roleBindingName: tink-controller-manager-rolebinding tinkLeaderElectionRoleName: tink-leader-election-role tinkLeaderElectionRoleBindingName: tink-leader-election-rolebinding nodeSelector: {} @@ -21,6 +19,10 @@ controller: singleNodeClusterConfig: controlPlaneTolerationsEnabled: false weight: 1 + rbac: + type: Role # or ClusterRole + name: tink-controller-role # or tink-controller-cluster-role + bindingName: tink-controller-rolebinding # or tink-controller-cluster-rolebinding server: deploy: true @@ -40,10 +42,12 @@ server: requests: cpu: 10m memory: 64Mi - roleName: tink-server-role - roleBindingName: tink-server-rolebinding nodeSelector: {} # singleNodeClusterConfig to add tolerations for deployments on control plane nodes. This is defaulted to false. singleNodeClusterConfig: controlPlaneTolerationsEnabled: false nodeAffinityWeight: 1 + rbac: + type: Role # or ClusterRole + name: tink-server-role # or tink-server-cluster-role + bindingName: tink-server-rolebinding # or tink-server-cluster-rolebinding From d2d9e9d9df9f7fcc2ede461dae6bee0d8c63ab8a Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Tue, 15 Oct 2024 17:27:09 -0600 Subject: [PATCH 2/4] Add Role/ClusterRole validation, fix CLI flag: Signed-off-by: Jacob Weinstock --- tinkerbell/tink/templates/tink-controller/deployment.yaml | 4 +--- tinkerbell/tink/values.schema.json | 3 ++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tinkerbell/tink/templates/tink-controller/deployment.yaml b/tinkerbell/tink/templates/tink-controller/deployment.yaml index 25dcebb5..51e82b08 100644 --- a/tinkerbell/tink/templates/tink-controller/deployment.yaml +++ b/tinkerbell/tink/templates/tink-controller/deployment.yaml @@ -23,15 +23,13 @@ spec: containers: - image: {{ .Values.controller.image }} imagePullPolicy: {{ .Values.controller.imagePullPolicy }} - {{- if .Values.controller.args }} args: {{- if eq .Values.controller.rbac.type "Role" }} - - --kube-namespace={{ .Release.Namespace }} + - --namespace={{ .Release.Namespace }} {{- end }} {{- range .Values.controller.args }} - {{ . }} {{- end }} - {{- end }} name: {{ .Values.controller.name }} resources: limits: diff --git a/tinkerbell/tink/values.schema.json b/tinkerbell/tink/values.schema.json index b1485f1e..1307be10 100644 --- a/tinkerbell/tink/values.schema.json +++ b/tinkerbell/tink/values.schema.json @@ -92,7 +92,8 @@ "type": "object", "properties": { "type": { - "type": "string" + "type": "string", + "enum": ["Role", "ClusterRole"] }, "name": { "type": "string" From 9101f01e01ed238f7d8b2b2633c62523243003b1 Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Tue, 15 Oct 2024 18:42:11 -0600 Subject: [PATCH 3/4] Revert stack values.yaml Signed-off-by: Jacob Weinstock --- tinkerbell/stack/values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tinkerbell/stack/values.yaml b/tinkerbell/stack/values.yaml index 92106209..ba9f5e9e 100644 --- a/tinkerbell/stack/values.yaml +++ b/tinkerbell/stack/values.yaml @@ -83,20 +83,20 @@ stack: # See individual chart documentation for additional detail. smee: - image: reg.weinstocklabs.com/tinkerbell/smee:rbac - tinkWorkerImage: quay.io/tinkerbell/tink-worker + image: quay.io/tinkerbell/smee:v0.12.0 + tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.10.0 trustedProxies: [] publicIP: *publicIP hegel: - image: quay.io/tinkerbell/hegel:sha-3ddcc60 + image: quay.io/tinkerbell/hegel:v0.12.0 trustedProxies: [] rufio: - image: quay.io/tinkerbell/rufio:sha-6180ef3 + image: quay.io/tinkerbell/rufio:v0.3.3 tink: controller: - image: quay.io/tinkerbell/tink-controller:sha-8c7a9c89 + image: quay.io/tinkerbell/tink-controller:v0.10.0 server: - image: quay.io/tinkerbell/tink:sha-8c7a9c89 + image: quay.io/tinkerbell/tink:v0.10.0 From 5b9b1d14ea5d8ce039a59e323a96ca0aa4ffc249 Mon Sep 17 00:00:00 2001 From: Jacob Weinstock Date: Wed, 16 Oct 2024 09:59:38 -0600 Subject: [PATCH 4/4] Update all service versions to the latest: All services have new versions. Signed-off-by: Jacob Weinstock --- tinkerbell/hegel/Chart.yaml | 2 +- tinkerbell/hegel/values.yaml | 2 +- tinkerbell/rufio/Chart.yaml | 2 +- tinkerbell/rufio/values.yaml | 2 +- tinkerbell/smee/Chart.yaml | 2 +- tinkerbell/smee/values.yaml | 4 ++-- tinkerbell/stack/values.yaml | 12 ++++++------ tinkerbell/tink/Chart.yaml | 2 +- tinkerbell/tink/values.yaml | 4 ++-- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/tinkerbell/hegel/Chart.yaml b/tinkerbell/hegel/Chart.yaml index ef086b75..c77c81a6 100644 --- a/tinkerbell/hegel/Chart.yaml +++ b/tinkerbell/hegel/Chart.yaml @@ -22,4 +22,4 @@ version: 0.4.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.12.0" +appVersion: "0.13.0" diff --git a/tinkerbell/hegel/values.yaml b/tinkerbell/hegel/values.yaml index 5667d9c3..f40fbbb0 100644 --- a/tinkerbell/hegel/values.yaml +++ b/tinkerbell/hegel/values.yaml @@ -1,6 +1,6 @@ deploy: true name: hegel -image: quay.io/tinkerbell/hegel:v0.12.0 +image: quay.io/tinkerbell/hegel:v0.13.0 imagePullPolicy: IfNotPresent replicas: 1 service: diff --git a/tinkerbell/rufio/Chart.yaml b/tinkerbell/rufio/Chart.yaml index 5b6622cb..c9183f14 100644 --- a/tinkerbell/rufio/Chart.yaml +++ b/tinkerbell/rufio/Chart.yaml @@ -22,4 +22,4 @@ version: 0.3.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.3.3" +appVersion: "0.4.1" diff --git a/tinkerbell/rufio/values.yaml b/tinkerbell/rufio/values.yaml index 7af842c2..89fca681 100644 --- a/tinkerbell/rufio/values.yaml +++ b/tinkerbell/rufio/values.yaml @@ -1,6 +1,6 @@ deploy: true name: rufio -image: quay.io/tinkerbell/rufio:v0.3.3 +image: quay.io/tinkerbell/rufio:v0.4.1 imagePullPolicy: IfNotPresent resources: requests: diff --git a/tinkerbell/smee/Chart.yaml b/tinkerbell/smee/Chart.yaml index d1f4f798..1b07c795 100644 --- a/tinkerbell/smee/Chart.yaml +++ b/tinkerbell/smee/Chart.yaml @@ -22,4 +22,4 @@ version: 0.5.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.12.0" +appVersion: "0.13.0" diff --git a/tinkerbell/smee/values.yaml b/tinkerbell/smee/values.yaml index 046f0927..c275c548 100644 --- a/tinkerbell/smee/values.yaml +++ b/tinkerbell/smee/values.yaml @@ -5,7 +5,7 @@ deploy: true name: smee # The image used to launch the container. -image: quay.io/tinkerbell/smee:v0.12.0 +image: quay.io/tinkerbell/smee:v0.13.0 imagePullPolicy: IfNotPresent # The number of pods to run. @@ -113,7 +113,7 @@ syslog: port: 514 # The Tink Worker image passed to OSIE as a kernel arg for launching. -tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.9.0 +tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.11.0 # Additional arguments to pass to the smee container. Some arguments are already defined - refer diff --git a/tinkerbell/stack/values.yaml b/tinkerbell/stack/values.yaml index ba9f5e9e..a7c54da0 100644 --- a/tinkerbell/stack/values.yaml +++ b/tinkerbell/stack/values.yaml @@ -83,20 +83,20 @@ stack: # See individual chart documentation for additional detail. smee: - image: quay.io/tinkerbell/smee:v0.12.0 - tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.10.0 + image: quay.io/tinkerbell/smee:v0.13.0 + tinkWorkerImage: quay.io/tinkerbell/tink-worker:v0.11.0 trustedProxies: [] publicIP: *publicIP hegel: - image: quay.io/tinkerbell/hegel:v0.12.0 + image: quay.io/tinkerbell/hegel:v0.13.0 trustedProxies: [] rufio: - image: quay.io/tinkerbell/rufio:v0.3.3 + image: quay.io/tinkerbell/rufio:v0.4.1 tink: controller: - image: quay.io/tinkerbell/tink-controller:v0.10.0 + image: quay.io/tinkerbell/tink-controller:v0.11.0 server: - image: quay.io/tinkerbell/tink:v0.10.0 + image: quay.io/tinkerbell/tink:v0.11.0 diff --git a/tinkerbell/tink/Chart.yaml b/tinkerbell/tink/Chart.yaml index 8d14cff6..8ba36dd5 100644 --- a/tinkerbell/tink/Chart.yaml +++ b/tinkerbell/tink/Chart.yaml @@ -22,4 +22,4 @@ version: 0.3.0 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.10.0" +appVersion: "0.11.0" diff --git a/tinkerbell/tink/values.yaml b/tinkerbell/tink/values.yaml index 7259bfa8..ba652f03 100644 --- a/tinkerbell/tink/values.yaml +++ b/tinkerbell/tink/values.yaml @@ -1,7 +1,7 @@ controller: deploy: true name: tink-controller - image: quay.io/tinkerbell/tink-controller:v0.10.0 + image: quay.io/tinkerbell/tink-controller:v0.11.0 imagePullPolicy: IfNotPresent replicas: 1 args: [] @@ -27,7 +27,7 @@ controller: server: deploy: true name: tink-server - image: quay.io/tinkerbell/tink:v0.10.0 + image: quay.io/tinkerbell/tink:v0.11.0 imagePullPolicy: IfNotPresent replicas: 1 service: