andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/f5/nginx-service-mesh/templates/post-delete-hook.yaml

339 lines
10 KiB
YAML
Raw Blame History

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: post-delete
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: post-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["delete"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
verbs: ["get", "list", "patch", "update"]
{{- if eq .Values.environment "openshift" }}
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
resourceNames: ["post-delete-permissions.builtin.nsm.nginx"]
verbs: ["use"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: post-delete.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: post-delete.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
name: post-delete
namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: remove-spiffeids
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: remove-spiffeids
spec:
restartPolicy: Never
serviceAccountName: post-delete
containers:
- name: remove-spiffeids
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsUser: 101 #nginx
command:
- /bin/sh
- -c
- |
for ns in $(kubectl get ns --no-headers -o custom-columns=":metadata.name"); do
if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then
kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
fi
done
{{- if (include "docker-config-json" .) }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: remove-registry-secrets
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "0"
spec:
template:
metadata:
name: remove-registry-secrets
spec:
restartPolicy: Never
serviceAccountName: post-delete
containers:
- name: remove-registry-secrets
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsUser: 101 #nginx
command:
- /bin/sh
- -c
- |
for ns in $(kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep -v {{ .Release.Namespace }}); do
kubectl -n $ns delete secret {{ include "registry-key-name" . }} --ignore-not-found
done
{{- end }}
{{- if eq .Values.environment "openshift" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: post-delete-csi
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: post-delete-permissions.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
type: MustRunAs
runAsUser:
type: RunAsAny
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: post-delete-csi.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: post-delete-csi
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: csi-driver-cleanup
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "-5"
data:
sentinel.yaml: |
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-driver-sentinel
labels:
app.kubernetes.io/part-of: nginx-service-mesh
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csi-driver-sentinel.builtin.nsm.nginx
labels:
app.kubernetes.io/part-of: nginx-service-mesh
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: csi-driver-sentinel
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: csi-driver-sentinel
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
ttlSecondsAfterFinished: 0
template:
spec:
restartPolicy: Never
serviceAccountName: csi-driver-sentinel
containers:
- name: csi-driver-sentinel
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
command:
- /bin/sh
- -c
- |
while [ $(kubectl get pods -A -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' | wc -w) -gt 0 ]; do
sleep 5
done
kubectl delete daemonset spiffe-csi-driver --ignore-not-found
kubectl delete serviceaccount spiffe-csi-driver --ignore-not-found
kubectl delete clusterrole system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
kubectl delete rolebinding system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
kubectl delete scc nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
kubectl delete scc nginx-mesh-sidecar-permissions --ignore-not-found
kubectl delete secret {{ include "registry-key-name" . }} --ignore-not-found
kubectl delete serviceaccount csi-driver-sentinel --ignore-not-found
kubectl delete clusterrolebinding csi-driver-sentinel.builtin.nsm.nginx --ignore-not-found
{{- if (include "docker-config-json" .) }}
secret.yaml: |
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "registry-key-name" . }}
labels:
app.kubernetes.io/part-of: nginx-service-mesh
data:
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: csi-driver-cleanup
labels:
app.kubernetes.io/part-of: nginx-service-mesh
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-weight": "5"
spec:
template:
metadata:
name: csi-driver-cleanup
spec:
restartPolicy: Never
serviceAccountName: post-delete-csi
containers:
- name: csi-driver-cleanup
image: {{ include "hook.image-server" . }}/kubectl
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
securityContext:
allowPrivilegeEscalation: false
privileged: false
runAsUser: 101 #nginx
command:
- /bin/sh
- -c
- |
res=$(kubectl get pods -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' -A | wc -w)
if [ $res -eq 0 ]; then
kubectl delete daemonset spiffe-csi-driver --ignore-not-found
kubectl delete serviceaccount spiffe-csi-driver --ignore-not-found
kubectl delete clusterrole system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
kubectl delete rolebinding system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
kubectl delete scc nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
kubectl delete scc nginx-mesh-sidecar-permissions --ignore-not-found
else
{{- if (include "docker-config-json" .) }}
kubectl get secret {{ include "registry-key-name" . }}
if [ $? != 0 ]; then
kubectl create -f /tmp/config/secret.yaml
fi
{{- end }}
kubectl create -f /tmp/config/sentinel.yaml
fi
volumeMounts:
- name: sentinel
mountPath: /tmp/config
volumes:
- name: sentinel
configMap:
name: csi-driver-cleanup
{{- end }}
Reference in New Issue View Git Blame Copy Permalink