Skip to content
Merged
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
{{- if .Values.cluster_admin_role }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: preinstall-mas-rbac-job
namespace: mas-{{ .Values.instance_id }}-syncres
annotations:
argocd.argoproj.io/sync-wave: "01"
{{- if .Values.custom_labels }}
labels:
{{ .Values.custom_labels | toYaml | indent 4 }}
{{- end }}

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: preinstall-mas-rbac-job-cluster-rolebinding-{{ .Values.instance_id }}
annotations:
argocd.argoproj.io/sync-wave: "02"
{{- if .Values.custom_labels }}
labels:
{{ .Values.custom_labels | toYaml | indent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: preinstall-mas-rbac-job
namespace: mas-{{ .Values.instance_id }}-syncres
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
{{- if .Values.cluster_admin_role }}
{{- $masChannel := .Values.mas_channel }}
{{- $versionParts := splitList "." $masChannel }}
{{- $majorVersion := index $versionParts 0 | int }}
{{- $minorVersion := index $versionParts 1 | int }}
{{- if or (gt $majorVersion 9) (and (eq $majorVersion 9) (ge $minorVersion 2)) }}

{{- /*
Meaningful prefix for the job resource name. Must be under 52 chars in length to leave room for the 11 chars reserved for '-' and $_job_hash.
*/}}
{{- $_job_name_prefix := "preinstall-mas-rbac" }}

{{- /*
Use the build/bin/set-cli-image-digest.sh script to update this value across all charts.
Included in $_job_hash (see below).
*/}}
{{- $_cli_image_digest := "sha256:14c852062a8c6149820d9aa7b8315d83f25bb29172b0f318e4fe10af613533f3" }}

{{- /*
A dict of values that influence the behaviour of the job in some way.
Any changes to values in this dict will trigger a rerun of the job.
Since jobs must be idemopotent, it's generally safe to pass in values here that are not
strictly necessary (i.e. including some values that don't actually influence job behaviour).
We may want to refine this further though for jobs that can take a long time to complete.
Included in $_job_hash (see below).
*/}}
{{- $_job_config_values := omit .Values "junitreporter" }}

{{- /*
Increment this value whenever you make a change to an immutable field of the Job resource.
E.g. passing in a new environment variable.
Included in $_job_hash (see below).
*/}}
{{- $_job_version := "v1" }}

{{- /*
10 char hash appended to the job name taking into account $_job_config_values, $_job_version and $_cli_image_digest
This is to ensure ArgoCD will create a new job resource intead of attempting (and failing) to update an
immutable field of any existing Job resource.
*/}}
{{- $_job_hash := print ($_job_config_values | toYaml) $_cli_image_digest $_job_version | adler32sum }}

{{- $_job_name := join "-" (list $_job_name_prefix $_job_hash )}}

{{- /*
Set as the value for the mas.ibm.com/job-cleanup-group label on the Job resource.

When the auto_delete flag is not set on the root application, a CronJob in the cluster uses this label
to identify old Job resources that should be pruned on behalf of ArgoCD.

Any Job resources in the same namespace that have the mas.ibm.com/job-cleanup-group with this value
will be considered to belong to the same cleanup group. All but the most recent (i.e. with the latest "creation_timestamp")
Jobs will be automatically deleted.

$_job_cleanup_group can usually just be based on $_job_name_prefix. There are some special cases
where multiple Jobs are created in our templates using a Helm loop. In those cases, additional descriminators
must be added to $_job_cleanup_group.

By convention, we sha1sum this value to guarantee we never exceed the 63 char limit regardless of which discriminators
are required here.

*/}}
{{- $_job_cleanup_group := cat $_job_name_prefix | sha1sum }}


---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $_job_name }}
namespace: mas-{{ .Values.instance_id }}-syncres
annotations:
argocd.argoproj.io/sync-wave: "00"
labels:
mas.ibm.com/job-cleanup-group: {{ $_job_cleanup_group }}
{{- if .Values.custom_labels }}
{{ .Values.custom_labels | toYaml | indent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app: "sync-job"
{{- if .Values.custom_labels }}
{{ .Values.custom_labels | toYaml | indent 8 }}
{{- end }}
spec:
containers:
- name: preinstall-mas-rbac
image: {{ .Values.cli_image_repo | default "quay.io/ibmmas/cli" }}@{{ $_cli_image_digest }}
imagePullPolicy: IfNotPresent
env:
- name: MAS_INSTANCE_ID
value: "{{ .Values.instance_id }}"
- name: MAS_VERSION
value: "{{ .Values.mas_channel }}"
command:
- /bin/sh
- -c
- |
set -e

echo ""
echo "================================================================================"
echo "Applying Pre-Install MAS RBAC (Cluster Mode)"
echo "================================================================================"

mas-devops-apply-preinstall-rbac-for-saas \
--mas-instance-id "${MAS_INSTANCE_ID}" \
--mas-version "${MAS_VERSION}" \
--admin-mode "cluster"
Comment thread
whitfiea marked this conversation as resolved.

rc=$?
echo "preinstall_mas_rbac rc=${rc}"
[ $rc -ne 0 ] && exit $rc
exit 0

restartPolicy: Never
serviceAccountName: preinstall-mas-rbac-job
backoffLimit: 4
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ spec:

{{- if not (empty .Values.ibm_mas_suite) }}

mas_channel: "{{ .Values.ibm_mas_suite.mas_channel }}"
mas_manual_cert_mgmt: {{ .Values.ibm_mas_suite.mas_manual_cert_mgmt }}
dns_provider: "{{ .Values.ibm_mas_suite.dns_provider }}"
mas_workspace_id: "{{ .Values.ibm_mas_suite.mas_workspace_id }}"
Expand Down
Loading