139 lines
3.7 KiB
YAML
139 lines
3.7 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: pre-install
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
|
"helm.sh/hook-weight": "-5"
|
|
imagePullSecrets:
|
|
- name: {{ include "registry-key-name" . }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: pre-install.builtin.nsm.nginx
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
|
"helm.sh/hook-weight": "-5"
|
|
rules:
|
|
- apiGroups:
|
|
- ''
|
|
resources:
|
|
- namespaces
|
|
verbs:
|
|
- get
|
|
- list
|
|
- patch
|
|
{{- if eq .Values.environment "openshift" }}
|
|
- apiGroups:
|
|
- security.openshift.io
|
|
resources:
|
|
- securitycontextconstraints
|
|
resourceNames:
|
|
- pre-install-permissions.builtin.nsm.nginx
|
|
verbs:
|
|
- use
|
|
---
|
|
apiVersion: security.openshift.io/v1
|
|
kind: SecurityContextConstraints
|
|
metadata:
|
|
name: pre-install-permissions.builtin.nsm.nginx
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
|
"helm.sh/hook-weight": "-5"
|
|
allowHostDirVolumePlugin: false
|
|
allowHostIPC: false
|
|
allowHostNetwork: false
|
|
allowHostPID: false
|
|
allowHostPorts: false
|
|
allowPrivilegedContainer: false
|
|
seLinuxContext:
|
|
type: MustRunAs
|
|
runAsUser:
|
|
type: RunAsAny
|
|
readOnlyRootFilesystem: false
|
|
{{- end }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: pre-install.builtin.nsm.nginx
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
|
"helm.sh/hook-weight": "-5"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: pre-install.builtin.nsm.nginx
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: pre-install
|
|
namespace: {{ .Release.Namespace }}
|
|
{{- if (include "docker-config-json" .) }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ include "registry-key-name" . }}
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
|
"helm.sh/hook-weight": "-5"
|
|
data:
|
|
.dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
|
|
type: kubernetes.io/dockerconfigjson
|
|
{{- end }}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: label-namespace
|
|
labels:
|
|
app.kubernetes.io/part-of: nginx-service-mesh
|
|
annotations:
|
|
"helm.sh/hook": pre-install
|
|
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
|
|
"helm.sh/hook-weight": "0"
|
|
spec:
|
|
template:
|
|
metadata:
|
|
name: label-namespace
|
|
spec:
|
|
restartPolicy: Never
|
|
serviceAccountName: pre-install
|
|
containers:
|
|
- name: label-namespace
|
|
image: {{ include "hook.image-server" . }}/kubectl
|
|
imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
|
|
securityContext:
|
|
runAsUser: 0
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
kubectl label namespace kube-system injector.nsm.nginx.com/auto-inject=false
|
|
kubectl label namespace {{ .Release.Namespace }} --overwrite injector.nsm.nginx.com/auto-inject=false app.kubernetes.io/part-of=nginx-service-mesh
|
|
{{- if .Values.rancher }}
|
|
kubectl label namespace ingress-nginx cert-manager injector.nsm.nginx.com/auto-inject=false
|
|
for ns in $(kubectl get ns | awk '{print $1}' | tail -n +2); do
|
|
case "$ns" in
|
|
cattle-*) kubectl label namespace $ns injector.nsm.nginx.com/auto-inject=false ;;
|
|
esac
|
|
done
|
|
{{- end }}
|