diff --git a/instance-applications/000-ibm-sync-resources/templates/01-02-preinstall-mas-rbac-job_ServiceAccount.yaml b/instance-applications/000-ibm-sync-resources/templates/01-02-preinstall-mas-rbac-job_ServiceAccount.yaml new file mode 100644 index 000000000..3617e1694 --- /dev/null +++ b/instance-applications/000-ibm-sync-resources/templates/01-02-preinstall-mas-rbac-job_ServiceAccount.yaml @@ -0,0 +1,34 @@ +{{- if .Values.cluster_admin_role }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: preinstall-mas-rbac-job + namespace: mas-{{ .Values.instance_id }}-syncres + annotations: + argocd.argoproj.io/sync-wave: "01" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: preinstall-mas-rbac-job-cluster-rolebinding-{{ .Values.instance_id }} + annotations: + argocd.argoproj.io/sync-wave: "02" +{{- if .Values.custom_labels }} + labels: +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: preinstall-mas-rbac-job + namespace: mas-{{ .Values.instance_id }}-syncres +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +{{- end }} \ No newline at end of file diff --git a/instance-applications/010-ibm-sync-jobs/templates/00-preinstall-mas-rbac_Job.yaml b/instance-applications/010-ibm-sync-jobs/templates/00-preinstall-mas-rbac_Job.yaml new file mode 100644 index 000000000..31498e0ca --- /dev/null +++ b/instance-applications/010-ibm-sync-jobs/templates/00-preinstall-mas-rbac_Job.yaml @@ -0,0 +1,122 @@ +{{- if .Values.cluster_admin_role }} +{{- $masChannel := .Values.mas_channel }} +{{- $versionParts := splitList "." $masChannel }} +{{- $majorVersion := index $versionParts 0 | int }} +{{- $minorVersion := index $versionParts 1 | int }} +{{- if or (gt $majorVersion 9) (and (eq $majorVersion 9) (ge $minorVersion 2)) }} + +{{- /* +Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash. +*/}} +{{- $_job_name_prefix := "preinstall-mas-rbac" }} + +{{- /* +Use the build/bin/set-cli-image-digest.sh script to update this value across all charts. +Included in $_job_hash (see below). +*/}} +{{- $_cli_image_digest := "sha256:14c852062a8c6149820d9aa7b8315d83f25bb29172b0f318e4fe10af613533f3" }} + +{{- /* +A dict of values that influence the behaviour of the job in some way. +Any changes to values in this dict will trigger a rerun of the job. +Since jobs must be idemopotent, it's generally safe to pass in values here that are not +strictly necessary (i.e. including some values that don't actually influence job behaviour). +We may want to refine this further though for jobs that can take a long time to complete. +Included in $_job_hash (see below). +*/}} +{{- $_job_config_values := omit .Values "junitreporter" }} + +{{- /* +Increment this value whenever you make a change to an immutable field of the Job resource. +E.g. passing in a new environment variable. +Included in $_job_hash (see below). +*/}} +{{- $_job_version := "v1" }} + +{{- /* +10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest +This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an +immutable field of any existing Job resource. +*/}} +{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }} + +{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}} + +{{- /* +Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource. + +When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label +to identify old Job resources that should be pruned on behalf of ArgoCD. + +Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value +will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp") +Jobs will be automatically deleted. + +$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases +where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators +must be added to $_job_cleanup_group. + +By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators +are required here. + +*/}} +{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }} + + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ $_job_name }} + namespace: mas-{{ .Values.instance_id }}-syncres + annotations: + argocd.argoproj.io/sync-wave: "00" + labels: + mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }} +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 4 }} +{{- end }} +spec: + template: + metadata: + labels: + app: "sync-job" +{{- if .Values.custom_labels }} +{{ .Values.custom_labels | toYaml | indent 8 }} +{{- end }} + spec: + containers: + - name: preinstall-mas-rbac + image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }} + imagePullPolicy: IfNotPresent + env: + - name: MAS_INSTANCE_ID + value: "{{ .Values.instance_id }}" + - name: MAS_VERSION + value: "{{ .Values.mas_channel }}" + command: + - /bin/sh + - -c + - | + set -e + + echo "" + echo "================================================================================" + echo "Applying Pre-Install MAS RBAC (Cluster Mode)" + echo "================================================================================" + + mas-devops-apply-preinstall-rbac-for-saas \ + --mas-instance-id "${MAS_INSTANCE_ID}" \ + --mas-version "${MAS_VERSION}" \ + --admin-mode "cluster" + + rc=$? + echo "preinstall_mas_rbac rc=${rc}" + [ $rc -ne 0 ] && exit $rc + exit 0 + + restartPolicy: Never + serviceAccountName: preinstall-mas-rbac-job + backoffLimit: 4 +{{- end }} +{{- end }} \ No newline at end of file diff --git a/root-applications/ibm-mas-instance-root/templates/010-ibm-sync-jobs.yaml b/root-applications/ibm-mas-instance-root/templates/010-ibm-sync-jobs.yaml index d858362bf..5e32b96e2 100644 --- a/root-applications/ibm-mas-instance-root/templates/010-ibm-sync-jobs.yaml +++ b/root-applications/ibm-mas-instance-root/templates/010-ibm-sync-jobs.yaml @@ -63,6 +63,7 @@ spec: {{- if not (empty .Values.ibm_mas_suite) }} + mas_channel: "{{ .Values.ibm_mas_suite.mas_channel }}" mas_manual_cert_mgmt: {{ .Values.ibm_mas_suite.mas_manual_cert_mgmt }} dns_provider: "{{ .Values.ibm_mas_suite.dns_provider }}" mas_workspace_id: "{{ .Values.ibm_mas_suite.mas_workspace_id }}"