Significant changes to the Kubernetes Tentacle chart (#13)

* Add job roles + service account and some cleanup

* Add job service account & permissions

* Add NFS deployment & a heap of changes

* Change NFS port to be configurable and have a better default

* Make clear can be multiple environments or roles

* Don't expose api key or bearer token in plain text in envs

charts/kubernetes-tentacle/Chart.yaml

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
+version: 0.1.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "8.0.117"
+appVersion: "8.0.332"

charts/kubernetes-tentacle/templates/_helpers.tpl

@@ -30,6 +30,7 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+
 {{/*
 Common labels
 */}}
@@ -54,9 +55,25 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "kubernetes-tentacle.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "kubernetes-tentacle.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- default (include "kubernetes-tentacle.fullname" .) .Values.jobServiceAccount.name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kubernetes-tentacle.jobServiceAccountName" -}}
+{{- default (printf "%s-job" (include "kubernetes-tentacle.fullname" .)) .Values.serviceAccount.name }}
+{{- end }}
+
+{{- define "kubernetes-tentacle.secrets.serverAuth" -}}
+{{- printf "%s-server-auth" ( include "kubernetes-tentacle.fullname" . ) }}
 {{- end }}
+
+{{- define "kubernetes-tentacle.jobVolumeYaml" -}}
+volumes:
+- name: tentacle-home
+  nfs:
+    path: /
+    readOnly: false
+    server: {{ .Values.storage.nfsPort }}
+{{- end }}

charts/kubernetes-tentacle/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "kubernetes-tentacle.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kubernetes-tentacle.labels" . | nindent 4 }}
 spec:
@@ -17,7 +18,7 @@ spec:
       {{- end }}
       labels:
         {{- include "kubernetes-tentacle.labels" . | nindent 8 }}
-	{{- with .Values.podLabels }}
+	      {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
@@ -26,72 +27,82 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kubernetes-tentacle.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+            {{- toYaml . | nindent 12 }}
+          {{- end}}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "%s-linux-amd64" .Chart.AppVersion) }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-        #   ports:
-        #     - name: http
-        #       containerPort: {{ .Values.service.port }}
-        #       protocol: TCP
-        #   livenessProbe:
-        #     httpGet:
-        #       path: /
-        #       port: http
-        #   readinessProbe:
-        #     httpGet:
-        #       path: /
-        #       port: http
           env:
-            - name: "AsKubernetesTentacle"
-              value: "True"
             - name: "ACCEPT_EULA"
-              value: "{{ .Values.tentacle.ACCEPT_EULA }}"
+              value: {{ .Values.tentacle.ACCEPT_EULA | quote }}
             - name: "TargetName"
-              value: "{{ .Values.tentacle.targetName }}"
+              value: {{ .Values.tentacle.targetName | quote }}
             - name: "ServerCommsAddress"
-              value: "{{ .Values.tentacle.serverCommsAddress }}"
+              value: {{ .Values.tentacle.serverCommsAddress | quote }}
             - name: "ServerUrl"
-              value: "{{ .Values.tentacle.serverUrl }}"
-            - name: "DISABLE_DIND"
-              value: "{{ .Values.tentacle.DISABLE_DIND }}"
+              value: {{ .Values.tentacle.serverUrl | quote }}
             - name: "Space"
-              value: "{{ .Values.tentacle.space }}"
+              value: {{ .Values.tentacle.space | quote }}
             - name: "TargetEnvironment"
-              value: "{{ .Values.tentacle.targetEnvironment }}"
+              value: {{ join "," .Values.tentacle.targetEnvironments | quote }}
             - name: "TargetRole"
-              value: "{{ .Values.tentacle.targetRole }}"
+              value: {{ join "," .Values.tentacle.targetRoles | quote }}
+            - name: "OCTOPUS__K8STENTACLE__NAMESPACE"
+              value: {{ .Release.Namespace | quote }}
+            - name: "OCTOPUS__K8STENTACLE__JOBSERVICEACCOUNTNAME"
+              value: {{ include "kubernetes-tentacle.jobServiceAccountName" . | quote }}
+            - name: "OCTOPUS__K8STENTACLE__JOBVOLUMEYAML"
+              value: {{ (include "kubernetes-tentacle.jobVolumeYaml" . | fromYaml).volumes  | toJson  | quote}}
+            - name: "OCTOPUS__K8STENTACLE__FORCE"
+              value: "True"
+            - name: "TentacleHome"
+              value: "/octopus"
+            - name: "TentacleApplications"
+              value: "/octopus/Applications"
             {{- if .Values.tentacle.serverApiKey }}
             - name: "ServerApiKey"
-              value: "{{ .Values.tentacle.serverApiKey }}"
+              valueFrom:
+                secretKeyRef: 
+                  name: {{ include "kubernetes-tentacle.secrets.serverAuth" . }}
+                  key: api-key
             {{- end }}
-            {{- if .Values.tentacle.bearerToken -}}
+            {{- if .Values.tentacle.bearerToken }}
             - name: "BearerToken"
-              value: "{{ .Values.tentacle.bearerToken }}"
+              valueFrom:
+                secretKeyRef: 
+                  name: {{ include "kubernetes-tentacle.secrets.serverAuth" . }}
+                  key: bearer-token
             {{- end }}
+            {{- if .Values.tentacle.listeningPort }}
+            - name: "ListeningPort"
+              value: {{ .Values.tentacle.listeningPort | quote }}
+            {{- end }}
+          {{- with .Values.resources }}
           resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          {{- with .Values.volumeMounts }}
-          volumeMounts:
             {{- toYaml . | nindent 12 }}
+          {{- end}}
+          {{- if .Values.storage.useNFSContainer }}
+          volumeMounts:
+            - mountPath: /octopus
+              name: nfs-pod
+          {{- else if or .Values.volumeMounts }}
+          volumeMounts:
+            {{- .Values.volumeMounts | toYaml | nindent 12 }}
           {{- end }}
-      {{- with .Values.volumes }}
+      {{- if .Values.storage.useNFSContainer }}
       volumes:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
+        - name: nfs-pod
+          nfs:
+            server: {{ .Values.storage.nfsPort }} 
+            path: /
+      {{- else if .Values.volumes }}
+      volumes:
+        {{- .Values.volumes | toYaml | nindent 8 }}
       {{- end }}

charts/kubernetes-tentacle/templates/job-clusterbinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kubernetes-tentacle.jobServiceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubernetes-tentacle.jobServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "kubernetes-tentacle.jobServiceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io

charts/kubernetes-tentacle/templates/job-clusterrole.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubernetes-tentacle.jobServiceAccountName" . }}
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'

charts/kubernetes-tentacle/templates/job-serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kubernetes-tentacle.jobServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubernetes-tentacle.labels" . | nindent 4 }}
+  {{- with .Values.jobServiceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: true

charts/kubernetes-tentacle/templates/nfs-deployment.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.storage.useNFSContainer }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ printf "%s-nfs" (include "kubernetes-tentacle.fullname" .) }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ printf "%s-nfs" (include "kubernetes-tentacle.fullname" .) }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+        app.kubernetes.io/name: {{ printf "%s-nfs" (include "kubernetes-tentacle.fullname" .) }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        app.kubernetes.io/name: {{ printf "%s-nfs" (include "kubernetes-tentacle.fullname" .) }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ include "kubernetes-tentacle.serviceAccountName" . }}
+      containers:
+        - name: {{ printf "%s-nfs" .Chart.Name }}
+          image: itsthenetwork/nfs-server-alpine:latest
+          securityContext:
+            privileged: true
+          env:
+          - name: "SHARED_DIRECTORY"
+            value: "/octopus"
+          - name: "SYNC"
+            value: "true"   
+          ports:
+          - containerPort: 2049
+          volumeMounts:
+          - mountPath: /octopus
+            name: octopus-volume
+      volumes:
+        - name: octopus-volume
+          emptyDir:
+            sizeLimit: 1Gi
+
+{{- end -}}

charts/kubernetes-tentacle/templates/nfs-service.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.storage.useNFSContainer }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ printf "%s-nfs-svc" (include "kubernetes-tentacle.fullname" .) }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  clusterIP: {{ .Values.storage.nfsPort }}
+  selector:
+    app.kubernetes.io/name: {{ printf "%s-nfs" (include "kubernetes-tentacle.fullname" .) }}
+  ports:
+    - name: nfs
+      port: 2049
+      protocol: TCP
+{{- end }}

charts/kubernetes-tentacle/templates/secrets.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kubernetes-tentacle.secrets.serverAuth" . }}
+type: Opaque
+data:
+{{- with .Values.tentacle.bearerToken }}
+  bearer-token: {{ . | b64enc }}
+{{- end }}  
+{{- with .Values.tentacle.serverApiKey }}
+  api-key: {{ . | b64enc }}
+{{- end }}

charts/kubernetes-tentacle/templates/service.yaml

@@ -1,15 +1,15 @@
-{{- if .Values.service.enabled -}}
+{{- if .Values.tentacle.listeningPort -}}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "kubernetes-tentacle.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kubernetes-tentacle.labels" . | nindent 4 }}
 spec:
-  type: {{ .Values.service.type }}
+  type: "LoadBalancer"
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: http
       protocol: TCP
       name: http
   selector:

charts/kubernetes-tentacle/templates/serviceaccount.yaml

@@ -1,13 +1,36 @@
-{{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "kubernetes-tentacle.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "kubernetes-tentacle.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
-{{- end }}
+automountServiceAccountToken: true
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ printf "%s-role" (include "kubernetes-tentacle.serviceAccountName" .) }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups: ["*"]
+  resources: ["jobs"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ printf "%s-binding" (include "kubernetes-tentacle.serviceAccountName" .) }}
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubernetes-tentacle.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ printf "%s-role" (include "kubernetes-tentacle.serviceAccountName" .) }}
+  apiGroup: rbac.authorization.k8s.io